CRL Storage within ADSS Server
CRL Monitor stores CRLs in two ways:
The original signed CRL is stored in compact form for future use and to provide clear evidence that the CRL was indeed retrieved, can be trusted as signed by its issuer and it was valid. The CRL revoked entries are stored in an expanded form within the database to optimise performance when a certificate’s revocation status is checked by various ADSS services.
For historical certificate status checking, ADSS Server uses the current database expanded CRL or if the CRL has been archived the local archive store. When using the latter the original CRL is retrieved in its original signed compacted form. Checking this archived CRL takes longer than usual because the server needs to fetch and verify the CRL, unpack and check the revoked certificate IDs. Performance is not expected to be an issue because historic validations are expected to be requested less frequently than current checks. ADSS Server mitigates the delay by using a fast CRL streaming technology to expand the CRL information.
See also