If the CRL method was selected for the certificate status checking process for a CA, then the next step is to define the CRL repository address(es) for this CA and associated CRL processing policy, using the screen below:



The Add button is used to enter the URL for an online CRL repository. Multiple locations can be defined and connection to each location will be attempted in the order shown until a CRL is successfully retrieved. The Test button can be used to check that the URLs have been entered correctly.


When communication with a CRL resource is required over an TLS channel, it is required to register the issuer of the relevant TLS Server Authentication certificate in the Trust Manager with purpose CA (will be used to verify other certificates and CRLs). Restarting the ADSS Server windows service is required in this case so that the certificate can be stored in the JVM key store for TLS Server Authentication to succeed.


It is recommended that CRL settings are configured for the CA even if it has an OCSP Responder for two reasons:

  • The CRLs can act as a fall-back option in case an OCSP responder becomes unavailable.
  • ADSS Server can use the CRLs to provide historical certificate validation functionality. Even if not used today it is quite possible that such an option will be beneficial in the future. Once ADSS Server is set to record all the issued CRLs it is capable of determining the status of a certificate at any specified time and date from this point onwards.


The Configure CRL Settings screen defines the policy for how often the ADSS CRL Monitor retrieves the CRLs for this CA and how the overall process is to be managed:

Each field in the form is discussed in the table below:

Items

Description

CRL Resource Settings

Defines the following

Select a certificate issued by this CA to read CRL resource addresses from CDP extension

Browse to a certificate issued by the CA you are registering and the system will get the CRL resources (HTTP/LDAP address) automatically from the CDP extension  for automatic CRL polling. All the CRL resources will be added automatically in the CRL resources list box e.g.

  • http://www.firmadigitale.bancaditalia.it/crl/crl.crl
  • ldap://ldap.firmadigitale.bancaditalia.it/cn=Banca%20d'Italia,ou=Servizi%20di%20certificazione,
    o=Banca%20d'Italia/00950501007,c=IT?certificateRevocationList

Manually add a CRL Resource

If you want to add a CRL resource (HTTP/LDAP address) manually then enter the address of CRL resource and click the Add button to add the CRL resource into the CRL resources list box e.g.

  • http://www.firmadigitale.bancaditalia.it/crl/crl.crl
  • ldap://ldap.firmadigitale.bancaditalia.it/cn=Banca%20d'Italia,ou=Servizi%20di%20certificazione,
    o=Banca%20d'Italia/00950501007,c=IT?certificateRevocationList

 

In case of Partitioned CRL, a CRL resource can be added in the following ways:

  • http://localhost:8777/adss/crls/adss_samples_test_ca<5>.crl
  • http://localhost:8777/adss/crls/adss_samples_test_ca<*>.crl 
  • ldap://localhost:10389/CN=CRL*,CN=Linux_LDAP_CA,O=Asc,C=AL?certificateRevocationList;binary


The below points must be noted while adding a Partitioned CRL:

  1. The '<5>' placeholder indicates the maximum number of CRL. The CRLs will keep on downloading in a sequential order starting from ‘1’ until they reach the maximum number. In cases where the next CRL resource is not found, for example, after <2>, the next CRL resource is <4>, and <3> is missing, the missing resource will be skipped and it will move on to the next one to continue the downloading process until the maximum set number is reached. It is recommended to use this approach if the Create Fixed Number of Partitions option is selected in CRL Settings under Manage CA > Local CAs.  
  2. The '<*>' placeholder indicates that all the CRLs will be downloaded in sequential order. In cases where the next CRL resource is not found at any stage (as in the scenario mentioned in the previous point), the process of downloading CRLs will halt, and no further CRLs will be downloaded. It is recommended to use this approach if the Create Partitions Based on Revocation Entries option is selected in CRL Settings under Manage CA > Local CAs.  
  3. If the CRL numbers are inconsistent e.g. ca10.crl, ca7.crl, ca4.crl etc, the '*' functionality will not operate correctly.  
  4. For HTTP, the CRLs will be downloaded in a sequential way. However LDAP has its own downloading mechanism, hence it may not follow the same sequential order.
  5. If Partitioned CRLs are added in the CRL resources list box, then we must select the 'Find a partitioned CRL from all the defined resources' radio button under CRL Download Policy section in order to avoid the configurational issues. 

List of CRL Resources

This contains the list of CRL resources that will be used to download the CRL.


 In case of wild card partition CRLs, the Test button will only test the URL of first CRL.

CRL Download Policy

Defines the following:

Find the first acceptable CRL from any of the defined resources

If this radio button is selected then the CRL will be downloaded from the first working resource/address from the list of configured resources/addresses.

Check CRLs from all the defined resources

If this radio button is selected then CRL Monitor will monitor all the configured address and download the CRLs from all the resources. The latest CRL will be inserted in the database. Also, if some of the resoure(s) are not working then failure information will be logged in the CRL Monitor Logs about the failure.

Find a segmented CRL from all the defined resources

This radio button should be selected when the CA concerned issues reason based segmented CRLs and multiple addresses are configured to download all segments of a distributed CRL. Segmented CRLs are sometimes used as a dissemination mechanism for CRLs as they can restrict the size of the CRLs that need to be downloaded, allowing the CRL provider to service requests at a faster rate.  Segmentation can also solve the practical problem of CRLs growing to unmanageable lengths by allowing CRLs to be segmented, based on size considerations or priority considerations related to revocation reasons.

Find a partitioned CRL from all the defined resources

If this radio button is selected, then, the partitioned CRL will be downloaded from the list of configured resources/addresses.

Find a partitioned CRL from the defined base LDAP address

This radio button should be selected when the CA concerned issues serial number based partitioned CRLs and an LDAP repository is configured to download all partitions of a distributed CRL.  Partitioned CRLs are sometimes used as a dissemination mechanism for CRLs as they can restrict the size of the CRLs that need to be downloaded, allowing the CRL provider to service requests at a faster rate.  Partitioning can also solve the practical problem of CRLs growing to unmanageable lengths by allowing CRLs to be partitioned, based on size considerations or a range of certificate serial numbers issued by the CA.

Defines the following:

  • CRL Filter:
    This defines the base DN for LDAP repository containing required CRLs. e.g. CN=CRL1, C=GB
    If it is required to use the wildcard in the Base DN then use the * e.g. CN=CRL*,C=GB..
  • User ID:
    This defines the username for the LDAP address.
  • Password:
    This defines the password for the LDAP address.

CRL Polling Scheduler Settings

Defines the following:

Enable automated polling

This checkbox defines whether or not ADSS CRL Monitor should perform CRL polling to retrieve CRLs for this CA.  Any of the CRL polling configurations for a CA are only effective if this option is turned on. Otherwise CRL polling is not performed.

Next Fetch

This defines the date and time when the next attempt will be made to retrieve the CRL for this CA. Normally ADSS Server automatically sets this field, however for the first poll time the ADSS user may define this.


Note: For each CA, the CRL Next Fetch time is set as: time when CRL polling last completed (whether failed/successful) + Polling Period. Here the Polling Period can be Polling Period or Failure Polling Period depending on whether the attempt was successful or not. Any change in CRL Next Fetch done manually in Trust Manager by the ADSS User (or any other change in the CRL Polling Settings section) will only be effective once the CRL Monitor is restarted.

Start Polling at Configurable Time

This radio button setting defines if the CRL Monitor should poll for CRLs at a configurable time period (e.g. every 10 mins) regardless of the official nextUpdate field of the CRL. This is useful only if there is a possibility that the CA may issue emergency CRLs or over-issued CRLs in advance of the nextUpdate time defined inside the current CRL.


Note: ​Even if the polling setting is based on a Polling Period at a Configurable Time, CRL Monitor always attempts to download the CRL whenever the previous CRL expires (i.e. when CRL nextUpdate time arrives), without waiting for the defined polling period time to elapse in case this is in the future. This ensures that ADSS Server retrieves all CRLs in a timely and effective way as soon as they are released.

Start Polling at CRL next update

As an alternative, this setting configures the CRL Monitor to poll for a new CRL only when the previous CRL NextUpdate time is reached. This saves resources since otherwise ADSS will fetch the same CRL at the end of every polling period interval.


Note: CRLs are only updated when the CRL Next Update arrives unless of course emergency CRLs or over-issued CRLs are used.  So check what your CA CRL publishing policy is and then set this accordingly.

Enable CRL Freshness Checking

When enabled, ADSS Server will generate an email and/or SMS alert to the configured users whenever a new CRL is not published within the configured number of minutes from the previous CRL thisUpdate field.


Note: This feature is useful when a CA is supposed to issue a CRL periodically (every few hours say) even though the previous CRL is still valid for a certain period longer. When configured,CRL freshness policy time can also be set as Next Fetch if it is lower than the other two criteria ( Start Polling at Configurable Time and Start Polling at CRL next update ). If the CA somehow fails to publish the CRL within the specified period from the previous CRL issuance, an alert will be sent but ADSS Server will still use the previous CRL as long as it valid or a newly published CRL is fetched. This setting is only useful if the CA is issuing so called over-issued CRLs. CRL Monitor alerts can be configured within the CRL Monitor.

Retry if Connection Fails

Defines how long ADSS Server should wait before trying to fetch a CRL again following a failure to retrieve a CRL, e.g. ADSS Server may be unable to connect to the CRL resource (LDAP, HTTP) or perhaps the CRL may be corrupt or the signature on the CRL may be invalid.

CRL Timeout

Defines a CRL download timeout value for this CA.


Note: It is recommended to configure a non-zero and realistic value for CRL timeout so that if the CRL downloading thread fails to download the CRL within the configured value for timeout, it will report a download failure and will again invoke the CRL download after allowing the time period after failure. In case the timeout is configured as “0” (unlimited) and downloading hangs for some reason then the CRL downloading thread will remain in a hung state until the Windows or Unix Service is restarted.

Also note that a realistic value for timeout is a relative term. For instance, if download of a CRL is expected to complete within 1 minute then you must configure the value for timeout to be 2 or above. Also the value for timeout should be a little higher than the expected time for downloading so that the downloading thread gets some additional time in case the network is slow. In particular, the download time for the CRL will depend on the CRL size and network speed.

Advanced CRL Handling

Defines the following:

CA will issue its own CRL

This radio button is used if the CRL will be issued by the CA directly. It also defines the following:

  • CA has been rekeyed:
    This check box is used if the CA has generated a re-keyed CA certificate that issues new CRLs and certificates covering the certificates issued by the new and old CAs.

CA will use indirect CRLs

This radio button is used if another CRL issuer will be used. When a CA uses indirect CRLs, then the CRL issuer must be selected from the drop-down list.  


Note: These CRL issuer details are defined separately within the Trust Manager module.

Use CRL in pending-update state

If checked then when the new CRL is being downloaded, the previous valid CRL will be used by ADSS Server even though it is marked as PENDING.
If unchecked then the previous CRL that is marked as PENDING will not be used. Revocation status for the target certificate will be returned as UNKNOWN in this case.

CA issues delta CRLs

Enable this checkbox if the CA issues delta CRLs.

Check CRL issuer revocation status

Enable this checkbox if it is required to check the revocation status of the CRL Issuer certificate every time a new CRL arrives. If the CRL Issuer certificate revocation is not good (checked using the validation policy of the CA of the CRL Issuer) then the newly downloaded CRL will not be accepted.

Load CRL in memory for high speed revocation checking

Enable this checkbox if it is required to generate high speed OCSP responses when the ADSS OCSP Service responds on behalf of this CA.

Retain old CRLs in database

This is checked by default and it is used to keep the old CRLs in database when a new CRL arrives.When unchecked only the latest CRL is kept in the database. System removes the old CRLs from the database on arrival of a new CRL.

Publish CRL on File System

Enable this option to store the newly downloaded CRL to a selected network location with the identified folder name. It defines following:

  • Folder Path
    Define the Local/network path to store Downloaded CRL.
  • CRL File Name:
    Define the user friendly name to store the downloaded CRL.
  • Keep all CRL files in the folder
    Enable this checkbox to keep a copy of all CRLs in a sub-folder called "Archive". When a new CRL is downloaded, it is written to the idenitifed folder with the identified filename.  A copy of the CRL is placed in the "Archive" folder with following naming format: [CA Friendly Name]_[CRL ThisUpdate DateTime].crl e.g. "Ascertia Test CA_2013-6-26 18-15-59.crl".


Note: This feature is useful in situations where end-users cannot access an external CRL directory directly (due to network restrictions) and ADSS Server is used to re-publish the CRLs on the local system or network.  Alternatively this may be used as a High Availability measure to provide an alternative location for CRLs.

CRL Archive Settings

Defines the following:

Archived file path

This is the path to the location where archived CRLs will be stored in CSV format (zipped).

Delete records from database once archived

Enable this option if you want to delete the CRLs from the database upon archiving.


Note: Unless selected the CRLs will still remain present in the database even upon archiving. In such cases an archive back-up of the CRLs is created but database size is not reduced.  It is therefore important to select this checkbox very carefully depending on the required objective for the archiving process.

Enable auto-archiving of CRLs

Check this option to enable the auto-archiving of CRLs.

Auto-archive every

This value specifies how often (in days) the CRLs are archived.

Archive records older than

The CRLs older than the configured number of days are auto-archived.

Archive at

This value specifies the time on the day when auto-archiving will be performed. 


It is important to note that archiving is a highly intensive operation and it may impact the performance of the system. Hence it is important to schedule archiving at off-peak hours when end-users are not utilizing the services heavily. Alternatively a dedicated load balanced ADSS Server instance should be set-up for such housekeeping tasks by deploying ADSS Server Core and Service instances on different machines.


ADSS CRL Monitor will poll for new CRLs once per hour when the value for polling period is set to 0 minutes on the Configure CRL Settings screen. When CRL polling settings for a Certification Authority (CA) are changed so that the CRLs are downloaded on the NextUpdate time then this change will take effect when a new CRL is downloaded.

  

See also

Step 1 - Identifying the TA

Step 2 - Validation Policy
Step 3 - CRL Settings

Step 4 - Advanced Settings