CRL Storage within ADSS Server
CRL Monitor stores CRLs in two ways:
- The CRL is stored in its original compact form.
- The CRL is unpacked and the individual revoked entries are stored in the ADSS database (referred to as detailed or expanded form).
The original signed CRL is stored in compact form for future use and to provide clear evidence that the CRL was indeed retrieved, can be trusted as signed by its issuer and it was valid. The CRL revoked entries are stored in an expanded form within the database to optimise performance when a certificate’s revocation status is checked by various ADSS services.
For historical certificate status checking, ADSS Server uses the current database expanded CRL or if the CRL has been archived the local archive store. When using the latter the original CRL is retrieved in its original signed compacted form. Checking this archived CRL takes longer than usual because the server needs to fetch and verify the CRL, unpack and check the revoked certificate IDs. Performance is not expected to be an issue because historic validations are expected to be requested less frequently than current checks. ADSS Server mitigates the delay by using a fast CRL streaming technology to expand the CRL information.
See also
CRL Monitor Key Features
Proxy Settings and Digest Authentication
Using the Service Manager
High Availability for CRL Monitor
Viewing CRL Details
CRL Monitoring
Instant Revocation
CRL Logs
Logs Archiving
Alerts
Management Reporting