ADSS CRL Monitor

ADSS CRL Monitor is responsible for retrieving CRLs from registered CAs within internal or external PKI systems. It provides advanced CRL Monitoring against defined sets of CRL URLs and can provide administrator alerts if any of these retrievals fail. The downloaded CRLs are used by other ADSS modules (e.g. the ADSS Verification, Signing, OCSP and XKMS services) to determine the status of certificates.

CRL Monitor extracts, and retains within the ADSS Server database, all revocation information from the CRLs, even expired CRLs. It is thus capable of determining the historical status of a certificate, i.e. was John Doe’s certificate valid on 14 August 2011 at 10:00 AM? This is an essential basis for providing historical signature verification services.

This section describes how CRL Monitor works and describes how to manage and view CRL related information within the module. The relevant parts of the Trust Manager module should be studied to understand how CRL related policy settings are made when registering CAs.

CRL Monitor is essentially a scheduler that polls the defined CRL addresses at configured intervals. The timeframe is based on either on the expiry time of the previous CRL or a defined time interval, e.g. every 15 minutes.

The following image shows CRL Monitor sub-modules, the details of which are given in the next sections: