Enabling CRL Verification
IMPORTANT Certificate Revocation and CDP Monitoring is a feature that must be enabled when you install Trust Protection Platform in the Venafi Configuration Console. This module is disabled by default if you are upgrading from a version of Trust Protection Platform prior to 19.2. You will need to enable it manually on at least one engine if you want to do revocation checking and CDP monitoring.
When you enable this module on multiple engines, all must have equal access to all CDP and OCSP endpoints. If a particular engine does not have the same network access as other engines, then the service module should be disabled on that engine with restricted access.
If you see sporadic network access or "unable to connect" statuses for your CDP or OCSP endpoints (either in the Roots tree, or in the logs), it is likely that one of your engines does not have access to reach those endpoints.
CDP Monitoring and Revocation Checking does not honor engine partitioning in the Policy tree.
On a new installation, by default, the CRL Verification Service is enabled to verify the status of Certificate Revocation Lists (CRLs). Trust Protection Platform verifies CRLs on a configurable basis (at least every 24 hours). It is possible to enable the CRL Verification Service for all engines or on individual Trust Protection Platform engines.
You can also enable or disable individual CRL Distribution Points (CDPs). All CDPs are enabled by default when they are added automatically.
NOTE It is not recommended to use the HTTPS protocol to update your CDPs. CDP servers are typically configured to use HTTP. If a CRL retrieval fails, verify that you are using HTTP.
When the CRL Verification checks the CDP, the following statuses are possible results.
- Success
- Not supported
- Unable to retrieve the data using the end point: {error}
- Unable to parse the data node: {error}
- The Delta CRL is specified for an older CRL than the one currently being used.
- The CRL is newer than the Delta CRL is specifiying.
- Expired on {date}
- Expires on {date}
The status is shown on the CRL Distribution Points list, in the Status column.
At any point, you can click the Verify Now to immediately validate the highlighted CRL Distribution Point.
NOTE When you click Verify Now, the validation check happens immediately, and the next scheduled check will be skipped for performance reasons. The normal schedule will resume at the next check interval.
The status is also shown as part of the Revocation Result on the Certificate Summary tab when you select a certificate in the Policy tree.
NOTE This only validates the single row that is highlighted. If you wish to verify all endpoints listed in the table, you will need to verify them one-by-one.
- From the Tree menu, select Platforms.
- Select the root of the Platforms tree.
- Click the Certificate Revocation tab.
-
Under Settings, click the Check in Interval (times daily) drop-down list and select the number of times you want to perform CRL verification.
Value
Additional Information
1
Check once per day at 12:00 AM (based on the time zone set for the engine that is assigned to perform the work).
2
Check twice per day 12-hour intervals.
3
Check three times per day 8-hour intervals.
4
Check four times per day at 6-hour intervals.
6
Check six times per day at 4-hour intervals.
8
Check eight times per day at 3-hour intervals.
12
Check twelve times per day at 2-hour intervals.
24
Check every hour.
NOTE For all intervals except daily, the time interval begins when Trust Protection Platform services are enabled on that engine. Thus, checking begins for an engine when you restart services. There are controls in place to ensure a certificate's revocation status isn't checked too frequently. If a certificate's revocation status has been checked recently, the next scheduled revocation check will be skipped.
- From the Platform menu bar, click Policy Tree.
- Select the Platforms tree.
- Select the engine on which you want to enable CRL Verification.
- Select the Certificate Revocation module in the tree below the engine.
- Click the Settings tab.
- Under Disable this module, select the Disable this module check box, and then click Save.
- Select the Roots tree.
- Select the CA certificate.
- Select the CRL Verification > CRL Distribution Points tab.
- Click on the CDP entry that you want to enable or disable.
- Click Edit.
-
Select or clear the Disable Verification checkbox.
You can modify when you want to be notified if a CRL is about to expire. This setting is based on the percentage of time before a CRL expires because different CRLs will have different validity periods. By setting the notification percentage, you don't have to worry about knowing a specific CRL's validity period before you can select an appropriate expiration notification percentage.
- Select the Roots tree.
- Select the Settings > CRL Verification tab.
-
Choose the Expiry Notification Percentage.