Step 3 - Configuring CRL Monitor

Home > ADSS Verification Service > Configuring the Verification Service > Step 3 - Configuring CRL Monitor

The CRL Monitor module is used by the verification service to check the certificate revocation information for the CAs that are registered in the Trust Manager with validation policy set to "Local CRL Cache". It is crucial to the provision of the ADSS historic signature verification capability. This historic check reviews the status of a certificate at a particular date/time in the past. For such verification requests, the ADSS Server retrieves the CRL that was valid at the specified time. This is used to determine the revocation status of the certificate and hence the validity of the signature at that time. Note that OCSP is not suitable for historic certificate validation because it only provides current time certificate status.

Ensure the CRL retrieval policy is configured correctly for the CAs within the ADSS Trust Manager. Also ensure that CRL Monitor is running and it is polling for CRLs for those CAs whose automatic polling is enabled.

For non-registered CAs their current CRL will be pulled dynamically as the first validation request is received and cached until its expiry, or for the period specified in the system properties file. For CAs that over-issue CRLs in advanced of the next update time it is recommended that these are registered so that CRL Monitor can check for such over-issued CRLs and download them on a regular basis. This will optimise validation processing.

For those CAs that require OCSP validation ADSS Server contains an in-built OCSP client and these details are defined within the Trust Manager module. Where required and where licensed, the local OCSP Service could be used to provide OCSP validation authority processing for one or more CAs.