CRL Monitor Key Features
The key features are:
CRL Monitor only runs when at least one CA has been registered within Trust Monitor and its CRL polling configurations are defined. When there are no CAs registered or CRLs defined then CRL Monitor remains in sleep mode.
CRL Monitor polls for the configured CRL for each CA at the requested polling interval.
A number of alternative CRL addresses can be configured for a CA and in such cases CRL Monitor attempts to access these locations in the order they are provided until a valid CRL is located. An option is provided so that all defined locations are checked for valid CRLs and if some do not then an alert messages is sent for each issue observed.
Once a CRL is downloaded, the signature on the CRL is verified either using the CA’s certificate or using the identified CRL issuer’s key (when using indirect CRLs).
Sometimes a CA is configured to deliberately over-issue its CRLs. In such cases if a CRL freshness policy is set within Trust Manager for this CA then CRL Monitor also checks that a new, fresh CRL has been issued within the defined timeframe.
Once the CRL is verified, CRL Monitor checks that the downloaded CRL is more recent than the existing one held in the database for the CA.
If the downloaded CRL is the same as the one already held for this CA then it is discarded and polling recommences using the CRL polling configuration data (i.e. after the polling interval or after CRL expiry).
If the downloaded CRL is new then CRL Monitor updates the relevant ADSS Server database tables with certificate status information contained within it.
A fast CRL streaming process is used to ingest the data – even on low-end servers a 1 MB CRL can expected to be processed in less than 1 minute. Enhancing the available CPU processing power through the use of multiple CPUs or more powerful ones increases the speed at which CRLs are processed.