CDP/AIA URL Automated Checks and Pre-Failure CRL Error Detection

What are CDP/AIA URL Automated Checks?

The CRL monitoring and Best Practice enforcement rules in PKI Spotlight address the most common causes of CRL errors and PKI outages. Expired CRLs are one of the most common causes of business wide outages that organizations face – often multiple times a year. CRL issues also can lead to the degradation in Security Posture because individual devices and products may fail “open” when encountering an expired CRL

• Automatically keep track and alert on CRL and CA Certificate expirations for offline Certificate Authorities (CAs).
• Automatically keep track and alert on CRL and CA certificate expiration for online CAs.
• Scheduled and automated checks for the validity of the CDP, AIA and OCSP paths.
• Integrity checks of CRL, Delta CRL, and AIA certificate files.
• Alert thresholds can be configured to escalate errors from checks and pending expiration events.

CRL and CA Certificate Expiration Best Practices

What is CRL Publish Failure Detection Best Practice Check?

• PKI Spotlight checks for publish failures prior to the expiration of the CRL.
• PKI Spotlight proactively alerts admins on CRL publishing errors that can cause outages.

Why does it matter?

Almost all monitoring systems, including Certificate Lifecycle Management tools, generic network monitors, and in-house custom scripts are all waiting to detect if a CRL expires. In essence, they alert if a CRL is found past event C. By then, it’s too late – the organization is already impacted. If there was a CA corruption or hardware failure, it could take considerable time to recover. At best, you are in a race against the clock to prevent massive outages in the organization.

What are Advanced Notifications for CRL, Delta CRLs, and CA certificate expirations?

• PKI Spotlight automatically checks and alerts for base CRL, delta CRLs and CA certificates prior to expiration.

What are Expired Base and Delta CRLs?

• Automated alerts on expired base CRLs and delta CRLs

Why Does It Matter

CRL errors are the most common causes for PKI outages, which subsequently has a direct business impact. These outages reduce end user productivity, hinder revenue generating functions such as Point of Sales devices. The CRL errors also create un-intended and hard to trace security consequences as applications deal with CRL errors differently. Some fail completely, and others fail but still grant access.

On average an organization can experience 1-2 outages a year caused by CRL related errors. Mean Time to Recovery (MTTR) tends to be long due to the following factors:

• Error messages are generic such as login failed, access denied.
• information required to trouble shoot the root cause is scattered across tools and hard to access settings in files and registry keys
• Multiple IT teams get pulled in to eliminate root cause
• Recovery checks need to be made for the PKI and the dependent services to avoid un-intended and risky consequences of CRL checks failing

Likelihood of an outage caused by CRLS

Med to High

Business Impact of an outage caused by CRLS

High

Security Risk Impact of CRL Errors

High