Enabling CRL Verification

IMPORTANT Certificate Revocation and CDP Monitoring is a feature that must be enabled when you install Trust Protection Platform in the Venafi Configuration Console. This module is disabled by default if you are upgrading from a version of Trust Protection Platform prior to 19.2. You will need to enable it manually on at least one engine if you want to do revocation checking and CDP monitoring.

When you enable this module on multiple engines, all must have equal access to all CDP and OCSP endpoints. If a particular engine does not have the same network access as other engines, then the service module should be disabled on that engine with restricted access.

If you see sporadic network access or "unable to connect" statuses for your CDP or OCSP endpoints (either in the Roots tree, or in the logs), it is likely that one of your engines does not have access to reach those endpoints.

CDP Monitoring and Revocation Checking does not honor engine partitioning in the Policy tree.

On a new installation, by default, the CRL Verification Service is enabled to verify the status of Certificate Revocation Lists (CRLs). Trust Protection Platform verifies CRLs on a configurable basis (at least every 24 hours). It is possible to enable the CRL Verification Service for all engines or on individual Trust Protection Platform engines.

You can also enable or disable individual CRL Distribution Points (CDPs). All CDPs are enabled by default when they are added automatically.

NOTE It is not recommended to use the HTTPS protocol to update your CDPs. CDP servers are typically configured to use HTTP. If a CRL retrieval fails, verify that you are using HTTP.

CDP Status Result Options

When the CRL Verification checks the CDP, the following statuses are possible results.

Success
Not supported
Unable to retrieve the data using the end point: {error}
Unable to parse the data node: {error}
The Delta CRL is specified for an older CRL than the one currently being used.
The CRL is newer than the Delta CRL is specifiying.
Expired on {date}
Expires on {date}

The status is shown on the CRL Distribution Points list, in the Status column.

At any point, you can click the Verify Now to immediately validate the highlighted CRL Distribution Point.

NOTE When you click Verify Now, the validation check happens immediately, and the next scheduled check will be skipped for performance reasons. The normal schedule will resume at the next check interval.

The status is also shown as part of the Revocation Result on the Certificate Summary tab when you select a certificate in the Policy tree.

NOTE This only validates the single row that is highlighted. If you wish to verify all endpoints listed in the table, you will need to verify them one-by-one.

To Modify CRL Verification for all engines

From the Tree menu, select Platforms.
Select the root of the Platforms tree.
Click the Certificate Revocation tab.

Under Settings, click the Check in Interval (times daily) drop-down list and select the number of times you want to perform CRL verification.

Value	Additional Information
1	Check once per day at 12:00 AM (based on the time zone set for the engine that is assigned to perform the work).
2	Check twice per day 12-hour intervals.
3	Check three times per day 8-hour intervals.
4	Check four times per day at 6-hour intervals.
6	Check six times per day at 4-hour intervals.
8	Check eight times per day at 3-hour intervals.
12	Check twelve times per day at 2-hour intervals.
24	Check every hour.

NOTE For all intervals except daily, the time interval begins when Trust Protection Platform services are enabled on that engine. Thus, checking begins for an engine when you restart services. There are controls in place to ensure a certificate's revocation status isn't checked too frequently. If a certificate's revocation status has been checked recently, the next scheduled revocation check will be skipped.