The CRL Details function provides the ability to view and search the CRLs that have been downloaded by CRL Monitor. The CRL polling information can be reviewed and CRLs can be exported out of the ADSS Server. Functionality is also provided to manually import a CRL (as opposed to using the more normal automated retrieval of CRLs from an online repository).


When the CRL Details button is clicked a table is displayed showing all registered CAs for which Local CRL Cache is selected as primary or secondary method in validation policy or with CRL polling enabled. The CAs are registered and the CRL polling policy is configured via the Trust Manager module. For further details on the Trust Manager module see the section Trust Manager.



The following table describes each item in the above screenshot:


Items

Description

|< < > >|

These buttons are for navigating the different pages of the CA table. Note the number of records shown per page is configurable from within Global Settings (since it impacts all grids within the product).

Show All CA's 

This checkbox is used to show all CAs registered in Trust Manager. If this checkbox is unchecked then only those CA appear in this list for which Local CRL Cache is selected as primary or secondary method in validation policy or with CRL polling enabled.

View CRL Polling Details

This shows the polling policy details for the selected CA. Note this policy is configured in the Trust Manager module and shown here only for information purposes.

Clear Search

After a Search, the table will only show the filtered records, this button clears the search criteria and provides a view of the full set of records.

Search

This opens a new page where you can enter the search criteria based on each column of the CRL Details page.

View CRLs

This shows all the CRLs downloaded by ADSS CRL Monitor for the chosen CA (see below for further details).

CA Friendly Name

This is a unique name for the CA, defined at the time of registering the CA in Trust Manager.

CRL Number

This table column shows the CRL number (taken from the extension within the CRL or a system defined value in case the extension was not present).

In the case of a partition CRL, multiple CRLs are zipped together in the form of a zip file. Hence, in this case, the CRL number that is being displayed on the console is the latest CRL number stored in the Partition CRL zip file.

CRL Status

This shows the status of the last CRL retrieved for this CA. This can take three values:

Current: i.e. it is still valid and can be used to provide up-to-date certificate status information.

Pending Update: This means that CRL Monitor is currently trying to retrieve a new CRL. In the meantime, the existing “pending-update” CRL may be used to provide revocation information depending on the CA’s configured CRL policy of whether “pending update” CRLs can be used or not.

Expired: This means that the CRL has expired (i.e. the time indicated in the nextUpdate field of the CRL has been reached). ADSS Server cannot use such expired CRLs to determine revocation status other than for historical certificate validation purposes.

Polling Enabled

This defines whether polling is current enabled or disabled for the CA. Ensure polling is enabled if CRL Monitor is to automatically retrieve CRLs for this CA.

Polling Period

This identifies the time when CRL Monitor will next attempt to retrieve the CRL from the back-end online CRL repository. This configuration is made in Trust Manager.

Next Fetch

This identifies the time when CRL Monitor will next attempt to retrieve the CRL from the back-end online CRL repository. This may be a configurable time period or set to the CRL’s nextUpdate field. This configuration is made in Trust Manager.

Retain Old CRLs

This identifies that whether the ADSS Server keep the old CRLs in database when a new CRL arrives.When False only the latest CRL is kept in the database, system removes the old CRLs from the database on arrival of a new CRL. This configuration is made in Trust Manager.


In the above screen, clicking on the View CRL Polling Details button will show the following screen of CRL polling details for the selected CA:



CRL detail records for different CAs can be sorted in either ascending or descending order by selecting a table column from the drop down list.

When a CA is selected and the View CRLs button is clicked then all the CRLs previously retrieved for that CA are displayed as shown below:



Clicking on the three dots in the first column display the option to 'Import CRL' or 'Delete All CRLs'. Selecting the Import CRL option displays the following screen:

 


Clicking on the three dots for the selected CRL displays the following screen: 



The following table describes each item in the above three screenshots:


Items

Description

|< < > >|

These buttons are for navigating the different pages. Note the number of records shown per page is configured within the ADSS Global Settings.

Clear Search

After a Search the window will only show the filtered records; this button provides a view of the full set of records.

Search

This opens a new window where you can enter the search criteria based on each column of the transaction grid (see below for further details).

CRL Number {hex}

This table column shows the CRL number (taken from the extension within the CRL or a system defined value in case the extension was not present).

In the case of a partition CRL, multiple CRLs are zipped together in the form of a zip file. Hence, in this case, the CRL number that is being displayed on the console is the latest CRL number stored in the Partition CRL zip file.

This Update

This table column shows the thisUpdate field from the CRL (it identifies when the CA issued this CRL).

Next Update

This table column shows the nextUpdate field from the CRL (it identifies when the CA was planning to issue an update for this CRL).

Import Type [column]

This table column identifies the type of CRL (e.g. full or delta CRL or Segmented CRL).

Import CRL [label]

This drop-down menu option allows for the import of current (full or segmented or partitioned) or archived CRLs. user can import DER, Base64 or PEM encoded CRL. The CRLs that can be imported include:

  • Full CRL
  • Partitioned CRL
  • Segmented CRL

Note: When importing a segmented or partitioned CRL, it is required to provide a compressed zip file containing the set of segmented or partitioned CRLs covering all revocation reasons.  Segmented CRLs are sometimes used as a dissemination mechanism for CRLs as they can restrict the size of the CRLs that needs to be downloaded, allowing the CRL provider to service requests at a faster rate. Segmentation can also solve the practical problem of CRLs growing to unmanageable lengths by allowing CRLs to be segmented, based on size considerations or priority considerations related to revocation reasons.

Browse/choose File

The browse button allows you to manually import a CRL for this CA. You only need browse for the CRL file (or a zip of the segmented CRLs as explained above). Once located, ADSS Server will automatically import the CRL(s) without requiring further action. ADSS CRL Monitor will check that the CRL is valid, that it does not already exist in the database and is later than the current one.

Note:

  • user can import DER, Base64 or PEM encoded CRL. ADSS Server does not support PEM encoded CRLs which are larger than 1 MB. Generally the use of PEM encoded CRLs is discouraged as this increases the size of the CRL and its processing time.
  • The default size of a file to be uploaded on ADSS Server Console is 52 MB. To upload a file of a larger size, follow the link How to upload large files on ADSS Unity Console?

Delete All CRLs

This deletes all CRLs for respective CA.

Export CRL

You can select a CRL and then use this button to export a copy of the CRL as a file.

Auto Retrieve CRL

This will retrieve the latest CRL for respective CA from the configured CRL Resource address in Trust Manager

Note: This button will be enabled only, if Polling is enabled for respective CA in Trust Manager

View Latest CRL Content

You can view the contents of the latest CRL by pressing this button (see below for further details).


The list of CRLs for a particular CA can be sorted in either Ascending or Descending order by selecting a table column from the drop down list.


To view the linting report for a selected CRL, click on the vertical ellipsis next to the row on the main screen and select the Linting Report option. This action will open a new screen where you can choose the desired External Script Linter from the drop-down list configured under Global Settings > External Script Linters:



After selecting the linter, click Show Report to display the linting details of the CRL:


 

Additionally, you can export the report in PDF format by clicking the Export PDF button.



See also

CRL Monitor Key Features
CRL Storage within ADSS Server
Proxy Settings and Digest Authentication

Service Manager
HA Configuration
Viewing CRL Details
CRL Monitoring
Instant Revocation
CRL Logs
Logs Archiving
Alerts
Advanced Settings