CRL Monitor provides advanced CRL Monitoring against defined sets of CA CRL URLs and can provide administrator alerts if any of these retrievals fail. The CA CRLs to be monitored are defined within Trust Manager and can refence internal or external PKI systems.
CRL Monitor carries out a detailed set of checks on the validity of one or more CRLs for a CA as defined in each CA's Trust Manager validation policy > CRL settings page. After this CRL Monitor extracts, and retains all revocation information from the CRLs, even expired CRLs. It is thus capable of determining the historical status of a certificate, i.e. was John Doe’s certificate valid on 14 August 2011 at 10:00 AM? This is an essential basis for providing historical signature verification services.
This section describes how CRL Monitor works and describes how to manage and view CRL related information within the module. The relevant parts of the Trust Manager module should be studied to understand how CRL related policy settings are made when registering CAs.
CRL Monitor is essentially a scheduler that polls the defined CRL addresses at configured intervals. The timeframe is based on either on the expiry time of the previous CRL or a defined time interval, e.g. every 15 minutes.
The following image shows CRL Monitor sub-modules, the details of which are given in the next sections: