The CRL Monitor module is used by the OCSP service to check the certificate revocation information for the CAs that are registered in the Trust Manager with validation policy set to "Local CRL Cache". Note that OCSP is not suitable for historic certificate validation because it only provides current time certificate status.


Ensure the CRL retrieval policy is configured correctly for the CAs within the ADSS Trust Manager. Also ensure that CRL Monitor is running and it is polling for CRLs for those CAs whose automatic polling is enabled.


For non-registered CAs their current CRL will be pulled dynamically as the first validation request is received and cached until its expiry, or for the period specified in the system properties file. For CAs that over-issue CRLs in advanced of the next update time it is recommended that these are registered so that CRL Monitor can check for such over-issued CRLs and download them on a regular basis. This will optimise validation processing. Where required and where licensed, the local OCSP Service could be used to provide OCSP validation authority processing for one or more CAs.


See also

Step 1- Generating Keys and Certificates
Step 2 - Registering CAs

Step 3 - Registering Trusted CAs for OCSP Service
Step 5 - Using the Service Manager