CRL Monitor supports X.509 v1 and v2 CRLs, including direct and indirect CRLs, ARLs, and delta CRLs.
In some cases it is desirable to be able to download CRLs and then publish them locally to avoid a single point of failure, reduce network bandwidth for large enterprises and meet local security policies. CRL monitor allows such re-publishing of CRLs.
CRL Monitor has an advanced web-based GUI to help set-up trusted CAs and their CRL processing policies. screenshot | screenshot 1 | screenshot 2
You can select which members of the operations and management teams receive which error reports and summary reports either by email or SMS. CRL Monitor provides a wide range of CRL-related event which can be monitored:screenshot
Ascertia CRL Monitor provides an automated test service that enables an administrator to easily detect CRL publishing failures or irregularities. It is a must have product for any organisation providing PKI services. With CRL Monitor, you can identify issues and fix unexpected conditions before your users report them to you! CRL Monitor is also very useful for organisations that consume CRLs, i.e. relying party organisations. They can monitor the service and easily compare this with the Service Level Agreement (SLA). Key management reports can be produced at any time for any registered CA. screenshot | screenshot 1
CRL Monitor maintains logs on all CRL operations completed so that detailed reports can be produced for specific dates. CRL Monitor also provides CRL retrieval statistics in tabular and graphical formats.
CRL Monitor runs continuously and can operate in a high availability configuration using multiple CRL Monitor instances. When used like this if the current master CRL Monitor instance fails then the next available slave instance automatically assumes control and continues to retrieve and check the defined CRLs, ensuring that monitoring is not affected by a single point of failure. screenshot
It is often necessary to keep an archive of all the CRLs that have been issued, either for historical digital signature verification or to resolve disputes that may arise in future. CRL Monitor not only keeps an archived copy of each CRL it retrieves but also provides management and searching capability over the entire CRL dataset. This simply and easily allows administrators to determine within which CRL a particular certificate was first identified as revoked.
All production CRLs can be checked to verify their integrity and availability, i.e. that there is no file corruption either through a publishing failure or an operational/network issue or even an attack on the core trust services.
CRL Monitor can be configured to generate alerts when a wide variety of events occur, including:
Reports can be created from the CRL Monitor log viewer to provide evidence of SLA performance.
CRL Monitor provides immediate real-time feedback on CRL issues as they arise. Where PKI services are used it is often assumed that they are functioning correctly and will continue to do so - this is often not the case. Use CRL Monitor to check for expected and unexpected behaviors.
CRL Monitor tests the status of a CRL publishing service by downloading and checking the CRLs at predefined intervals. It can check that CRLs are updated as expected before their expiry date, giving service providers valuable hours in which to act to avoid trust issues. This is the only fully effective way to ensure a PKI is operating as it should. Multiple CAs can be monitored using specific CRL polling and validation policy settings.
CRL Monitor allows valid CRLs that it has downloaded to be re-published in a location where other systems and users can access them. This may be at a central location or a remote location. Used locally this enables remote systems to minimise network bandwidth and ensure maximum availability. Network configurations of the use of local clients (such as Ascertia’s ADSS Server and ARP products) can use local CRL resources to advantage. Government systems in particular are concerned about disaster recovery and operational continuity and CRL Monitor can play an important role here. screenshot
For high availability PKI environments, CRL Monitor can be configured to use multiple CRLs distribution points (LDAP or HTTP) for each CA, allowing it to access alternate locations should the primary resource become unavailable.
CRL Monitor is a standard J2EE application and supported on Windows, Linux (Centos, Suse) and Solaris (X86 and Sparc). Other UNIX flavours can be supported also upon request.
All CRL Monitor configurations and transaction logs are stored within a DBMS, however because of our use of Hibernate® technology, it is DBMS independent. We support SQL Server, Oracle, MySQL and PostgreSQL.
CRL Monitor relies completely on open PKI standards so it can work with any CA and indirect CRL issuer. CRLs can be retrieved using HTTP/S and LDAP/S repositories. We have taken away all the complexities of interoperability!