diff --git a/README.md b/README.md
index e31562a..417b5d6 100644
--- a/README.md
+++ b/README.md
@@ -60,3 +60,21 @@ Then, don't forget to remode the file `ca.key`.
 ## How does it works ?
 
 The role check if the certificate already exist and is valid. If not, it will generate **on the localhost** the certificates and then copy them to the remote host and delate the local version.
+
+## Add a CRL endpoint
+
+If you use a CRL to revocate your certifiates, you can add the variable `crl_distribution_points` to describe the CRL endpoint(s). CF https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html for more information about `crl_distribution_points`.
+
+```
+crl_distribution_points:
+  - full_name: "URI:https://ca.example.com/revocations.crl"
+    reasons:
+      - key_compromise
+      - ca_compromise
+      - affiliation_changed
+      - superseded
+      - cessation_of_operation
+      - certificate_hold
+      - privilege_withdrawn
+      - aa_compromise
+```
diff --git a/group_vars/all.yml b/group_vars/all.yml
index c31f01c..b1752c5 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -1,4 +1,15 @@
 ---
+crl_distribution_points:
+  - full_name: "URI:https://ca.example.com/revocations.crl"
+    reasons:
+      - key_compromise
+      - ca_compromise
+      - affiliation_changed
+      - superseded
+      - cessation_of_operation
+      - certificate_hold
+      - privilege_withdrawn
+      - aa_compromise
 ca_cert: |
   -----BEGIN CERTIFICATE-----
   MIIF7TCCA9WgAwIBAgIURKS2ggzKV0XKM6IdSqPjDvsr9AowDQYJKoZIhvcNAQEL
diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml
index b4c583f..8850257 100644
--- a/roles/generate-cert/tasks/main.yml
+++ b/roles/generate-cert/tasks/main.yml
@@ -32,7 +32,6 @@
         size: "{{ key_size | default(omit) }}"
       delegate_to: localhost
     
-    # TODO: add a revocation methode, most probably crl, with crl_distribution_points
     - name: Generate a Certificate Signing Request
       become: false
       openssl_csr:
@@ -51,6 +50,7 @@
         key_usage: "{{ key_usage }}"
         key_usage_critical: yes
         subject_alt_name: "{{ subject_alt_name | default(omit) }}"
+        crl_distribution_points: "{{ crl_distribution_points | default(omit) }}"
       delegate_to: localhost
     
     - name: Put the CA in a file