Applies to:
Venafi Encryption Director v10, TrustAuthority / TrustForce v14
Summary:
Starting in Venafi Encryption Director v10, it is possible to enable Director to monitor CRLs (Certificate Revocation Lists).
Certificate Revocation List (CRL) Verification:
- Prevents system outages by increasing visibility into CRL updates and eliminating the risk inherent to certificate middleware services.
- Ensures that CRLs are available and up-to-date to prevent widespread outages caused when relying parties are unable to access valid CRLs and check the revocation status of certificates.
- Notifications and escalations are sent if CRLs are not updated in a timely manner.
More Information:
CRL Verification is disabled by default.
Help enabling this feature is available here: https://support.venafi.com/entries/24847317-How-To-Enable-CRL-Verification
In order to perform CRL Validation, the CDP (CRL Distribution Point) must be associated with a Root or Intermediate certificate in the Roots tree.
This can be accomplished three different ways.
- During the setup wizard for Director 10, there are a number of migration tasks that will be run. One of these will add CDP information to Root and Intermediate certificates in the Roots tree.
- All valid certificates in the Policy and Discovery trees are scanned and any CDP information is collected.
- The Roots tree is scanned
- CDP information is added to the correct issuing cert in the Roots tree. Thus, the CDP will be created on the Root or Intermediate cert that issued the leaf cert.
- Any CDP that doesn't have a corresponding Root/Intermediate cert is then discarded
- When a Root/Intermediate cert is added to the Roots tree, we scan the data for certificates in the Policy tree. Any corresponding CDPs are then added automatically to the Root/Intermediate
- CDPs can be manually added to a Root or Intermediate certificate. Information on how to do this is available here: https://support.venafi.com/entries/24860848-How-To-Manually-Add-a-CDP-for-CRL-Verification
CRL Verification can happen two different ways (if enabled):
- All CDPs are checked on a daily basis. They run at 12:00am (local server time) with the rest of the daily tasks (Validation, Cert Monitoring, etc)
- CDPs can be manually checked:
- Go to the Roots tree
- Select an existing Root or Intermediate certificate object
- Go to the CRL Verification tab and CRL Distribution Points sub-tab
- Click Verify Now
Comments