ADSS CRL Monitor Overview

ADSS CRL Monitor is responsible for retrieving CRLs from CAs. These CRLs can then be used by the ADSS Verification, OCSP, SCVP and XKMS Services to determine the revocation status of certificates.

CRL Monitor extracts and retains within its database all revocation information from each CRL that it has retrieved and successfully verified. It is thus capable of determining the historical status of a certificate, e.g. was John Smith’s certificate valid on 14 August 2011, at 10:00 AM? This is an essential facility for providing historical signature verification services.

CRL Monitor contains a scheduler that polls the defined CRL addresses at configured intervals. The time frame is based either on the expiry time of the previous CRL, or a pre-configured time interval e.g. every 15 minutes. Each CA registered on the ADSS Server can have its own CRL polling policy.

CRL Monitor Operation

CRL Monitor runs when the service is started after the installation of ADSS Server. Initially, as no CA will be registered, CRL Monitor remains in “sleep mode”. However once a CA is registered through ADSS Trust Manager, and the relevant CRL polling configurations are made, the CRL Monitor can be started. If polling details are set then CRL Monitor will wait for the specified polling time to arrive. Otherwise it will retrieve the CRL at its nextUpdate time.

Note that a number of alternative CRL addresses can be configured for a particular CA. CRL Monitor will attempt to use these in sequence to retrieve a new or updated CRL for the CA if the primary address fails.

Once a CRL is downloaded, the signature on the CRL is verified either using the CA’s public key or using the identified indirect CRL issuer’s key (i.e. indirect CRLs are CRLs which are issued by an authority other than the Certificate Authority which issued the certificate whose status is being checked). Once the CRL is verified, CRL Monitor checks that the downloaded CRL is more recent than the previously downloaded CRL. If it is not an updated CRL then the downloaded file is discarded and polling will recommence based on the CRL polling settings i.e. polling period or upon current CRL expiry. If the downloaded file is a new CRL then CRL Monitor updates the relevant ADSS database tables with certificate status data within the CRL.

CRL Storage

CRL Monitor stores CRLs in two ways:

The CRL is stored in its original compact form.
The CRL is unpacked and the individual revoked entries are stored in the ADSS database (referred to as detailed or expanded form).

The original signed CRL is stored in compact form for future use and to provide clear evidence that the CRL was indeed retrieved, can be trusted as signed by its issuer and it was valid. The CRL revoked entries are stored in an expanded form within the database to optimise performance when a certificate’s revocation status is required to be checked by various ADSS services.

For historical certificate status checking, ADSS Server will retrieve the original CRL in its compact form from local storage and use that. This does takes longer since it takes more time unpacking and checking the revoked values from a compact CRL, but it is expected that historical validations will be performed less frequently than current checks, plus ADSS Server uses a fast CRL streaming technology to speed up this process.