diff --git a/api/v1/values_types_extra.go b/api/v1/values_types_extra.go
index b6f2a5f05..c6bcc2271 100644
--- a/api/v1/values_types_extra.go
+++ b/api/v1/values_types_extra.go
@@ -23,6 +23,11 @@ type SDSConfigToken struct {
 	Aud string `json:"aud,omitempty"`
 }
 
+type PeerCaCrlConfig struct {
+	// When enabled, ztunnel will check certificates against the CRL
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
 type CNIValues struct {
 	// Configuration for the Istio CNI plugin.
 	Cni *CNIConfig `json:"cni,omitempty"`
@@ -75,6 +80,9 @@ type ZTunnelConfig struct {
 	Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"`
 	// The resource quotas configuration for ztunnel
 	ResourceQuotas *ResourceQuotas `json:"resourceQuotas,omitempty"`
+	// Certificate Revocation List (CRL) support for plugged-in CAs.
+	// When enabled, ztunnel will check certificates against the CRL
+	PeerCaCrl *PeerCaCrlConfig `json:"peerCaCrl,omitempty"`
 	// K8s node selector settings.
 	//
 	// See https://kubernetes.io/docs/user-guide/node-selection/
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
index 685cb83cc..01b22e756 100644
--- a/api/v1/zz_generated.deepcopy.go
+++ b/api/v1/zz_generated.deepcopy.go
@@ -3606,6 +3606,26 @@ func (in *OutboundTrafficPolicyConfig) DeepCopy() *OutboundTrafficPolicyConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PeerCaCrlConfig) DeepCopyInto(out *PeerCaCrlConfig) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerCaCrlConfig.
+func (in *PeerCaCrlConfig) DeepCopy() *PeerCaCrlConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(PeerCaCrlConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PilotConfig) DeepCopyInto(out *PilotConfig) {
 	*out = *in
@@ -5693,6 +5713,11 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) {
 		*out = new(ResourceQuotas)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.PeerCaCrl != nil {
+		in, out := &in.PeerCaCrl, &out.PeerCaCrl
+		*out = new(PeerCaCrlConfig)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.NodeSelector != nil {
 		in, out := &in.NodeSelector, &out.NodeSelector
 		*out = make(map[string]string, len(*in))
diff --git a/bundle/manifests/sailoperator.io_ztunnels.yaml b/bundle/manifests/sailoperator.io_ztunnels.yaml
index 09f346bb6..b1fc38643 100644
--- a/bundle/manifests/sailoperator.io_ztunnels.yaml
+++ b/bundle/manifests/sailoperator.io_ztunnels.yaml
@@ -1225,6 +1225,16 @@ spec:
 
                           See https://kubernetes.io/docs/user-guide/node-selection/
                         type: object
+                      peerCaCrl:
+                        description: |-
+                          Certificate Revocation List (CRL) support for plugged-in CAs.
+                          When enabled, ztunnel will check certificates against the CRL
+                        properties:
+                          enabled:
+                            description: When enabled, ztunnel will check certificates
+                              against the CRL
+                            type: boolean
+                        type: object
                       podAnnotations:
                         additionalProperties:
                           type: string
@@ -4776,6 +4786,16 @@ spec:
 
                           See https://kubernetes.io/docs/user-guide/node-selection/
                         type: object
+                      peerCaCrl:
+                        description: |-
+                          Certificate Revocation List (CRL) support for plugged-in CAs.
+                          When enabled, ztunnel will check certificates against the CRL
+                        properties:
+                          enabled:
+                            description: When enabled, ztunnel will check certificates
+                              against the CRL
+                            type: boolean
+                        type: object
                       podAnnotations:
                         additionalProperties:
                           type: string
diff --git a/chart/crds/sailoperator.io_ztunnels.yaml b/chart/crds/sailoperator.io_ztunnels.yaml
index 8d5e2095f..d755af0a8 100644
--- a/chart/crds/sailoperator.io_ztunnels.yaml
+++ b/chart/crds/sailoperator.io_ztunnels.yaml
@@ -1225,6 +1225,16 @@ spec:
 
                           See https://kubernetes.io/docs/user-guide/node-selection/
                         type: object
+                      peerCaCrl:
+                        description: |-
+                          Certificate Revocation List (CRL) support for plugged-in CAs.
+                          When enabled, ztunnel will check certificates against the CRL
+                        properties:
+                          enabled:
+                            description: When enabled, ztunnel will check certificates
+                              against the CRL
+                            type: boolean
+                        type: object
                       podAnnotations:
                         additionalProperties:
                           type: string
@@ -4776,6 +4786,16 @@ spec:
 
                           See https://kubernetes.io/docs/user-guide/node-selection/
                         type: object
+                      peerCaCrl:
+                        description: |-
+                          Certificate Revocation List (CRL) support for plugged-in CAs.
+                          When enabled, ztunnel will check certificates against the CRL
+                        properties:
+                          enabled:
+                            description: When enabled, ztunnel will check certificates
+                              against the CRL
+                            type: boolean
+                        type: object
                       podAnnotations:
                         additionalProperties:
                           type: string
diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md
index 2e451a1de..0d508e6f8 100644
--- a/docs/api-reference/sailoperator.io.md
+++ b/docs/api-reference/sailoperator.io.md
@@ -2373,6 +2373,22 @@ _Appears in:_
 | `REGISTRY_ONLY` | Restrict outbound traffic to services defined in the service registry as well as those defined through ServiceEntries  |
 
 
+#### PeerCaCrlConfig
+
+
+
+
+
+
+
+_Appears in:_
+- [ZTunnelConfig](#ztunnelconfig)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `enabled` _boolean_ | When enabled, ztunnel will check certificates against the CRL |  |  |
+
+
 #### PilotConfig
 
 
@@ -3451,6 +3467,7 @@ _Appears in:_
 | `podLabels` _object (keys:string, values:string)_ | Additional labels to apply on the pod level. |  |  |
 | `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | The k8s resource requests and limits for the ztunnel Pods. |  |  |
 | `resourceQuotas` _[ResourceQuotas](#resourcequotas)_ | The resource quotas configuration for ztunnel |  |  |
+| `peerCaCrl` _[PeerCaCrlConfig](#peercacrlconfig)_ | Certificate Revocation List (CRL) support for plugged-in CAs. When enabled, ztunnel will check certificates against the CRL |  |  |
 | `nodeSelector` _object (keys:string, values:string)_ | K8s node selector settings.  See https://kubernetes.io/docs/user-guide/node-selection/ |  |  |
 | `imagePullSecrets` _string array_ | List of secret names to add to the service account as image pull secrets to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry. |  |  |
 | `env` _object (keys:string, values:string)_ | A `key: value` mapping of environment variables to add to the pod |  |  |