Follow

Info: CRL Verification

Applies to:

Venafi Encryption Director v10, TrustAuthority / TrustForce v14

Summary: 

Starting in Venafi Encryption Director v10, it is possible to enable Director to monitor CRLs (Certificate Revocation Lists).

Certificate Revocation List (CRL) Verification:

  • Prevents system outages by increasing visibility into CRL updates and eliminating the risk inherent to certificate middleware services.
  • Ensures that CRLs are available and up-to-date to prevent widespread outages caused when relying parties are unable to access valid CRLs and check the revocation status of certificates.
  • Notifications and escalations are sent if CRLs are not updated in a timely manner.

 

More Information:

CRL Verification is disabled by default.

Help enabling this feature is available here: https://support.venafi.com/entries/24847317-How-To-Enable-CRL-Verification

 

In order to perform CRL Validation, the CDP (CRL Distribution Point) must be associated with a Root or Intermediate certificate in the Roots tree.

This can be accomplished three different ways.

  1. During the setup wizard for Director 10, there are a number of migration tasks that will be run. One of these will add CDP information to Root and Intermediate certificates in the Roots tree.
    1. All valid certificates in the Policy and Discovery trees are scanned and any CDP information is collected.
    2. The Roots tree is scanned
    3. CDP information is added to the correct issuing cert in the Roots tree. Thus, the CDP will be created on the Root or Intermediate cert that issued the leaf cert.
    4. Any CDP that doesn't have a corresponding Root/Intermediate cert is then discarded
  2. When a Root/Intermediate cert is added to the Roots tree, we scan the data for certificates in the Policy tree. Any corresponding CDPs are then added automatically to the Root/Intermediate
  3. CDPs can be manually added to a Root or Intermediate certificate. Information on how to do this is available here: https://support.venafi.com/entries/24860848-How-To-Manually-Add-a-CDP-for-CRL-Verification

 

CRL Verification can happen two different ways (if enabled):

 

  1. All CDPs are checked on a daily basis. They run at 12:00am (local server time) with the rest of the daily tasks (Validation, Cert Monitoring, etc)
  2. CDPs can be manually checked:
    1. Go to the Roots tree
    2. Select an existing Root or Intermediate certificate object
    3. Go to the CRL Verification tab and CRL Distribution Points sub-tab
    4. Click Verify Now

cdp_-_verify_now.png

Was this article helpful?
0 out of 0 found this helpful

Comments