CRL and OCSP Monitoring

By Category :

There are many aspects to keeping your PKI healthy but often the first thing that alerts you to a problem is when your revocation services fail

What we are talking about here are expired CRLs (Certificate Revocation Lists) or failure of the CRL or OCSP (Online Certificate Status Protocol) infrastructure

Whatever the issue, the end result is that clients relying on certificates issued from your PKI start to fail validation and reject those certificates

For example, imagine it’s the start of day and everyone turns up to work with their laptops, ready to log on to the corporate WIFI. You utilise certificate based authentication to your network – which is great. But if your CRLs or OCSP end points are inaccessible to the WIFI authentication system it will reject those certificates and everyone has a problem logging on

It’s not uncommon for the problem to have started hours or days ago. You may generate a CRL with a 5 day lifetime but renew every 48 hours. If the CRL issuance process fails, the CRL will still be good for another 3 days and no one notices – until it expires. If you could detect that the issuance process was failing you would have had days to rectify, compared with a hundred users raising support tickets as they are unable to login and it being a mad rush to find and fix the problem. That’s just stress you don’t need

Fortunately, there is an easy fix for this:

Monitor your CRL and OCSP end points

Monitor your CRL and OCSP end points to:

  • Check they are available where you expect them to be (i.e. a URL or LDAP location)
  • Check the CRL files and OCSP responses are valid – not expired, correctly formed and signed correctly
  • Check they are being re-issued when you expect them to be
  • Check that OCSP signing certificates are valid and are being re-issued when required
  • And alert if any of the above fail

If you monitor these things, you will be alerted and can deal with the issue before users are affected

Check out the Krestfield CRL OCSP Monitor

The free version allows for a limited number of test cases but all the items mentioned above can be monitored as well as access times (should there be some network delay), CRL file sizes and a range of expected OCSP responses (for example, to verify that the correct ‘revoked’ responses are returned)

If you want to try out the full version, contact Krestfield Support

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Comments