CRL Monitor

Built for people who manage PKIs

CRL Monitor is an easy to use tool that proactively monitors Certificate Revocation Lists (CRLs) to ensure they are available and up to date. If a CRL is unavailable or has not been updated by an expected time, CRL Monitor will issue an alert to notify you.

• Checks CRLs are available
• Checks CRLs are fresh and updated as expected
• Sends alerts if CRL not available or not fresh
• Provides detailed reports

Overview

For the status of a certificate to be determined an up to date CRL must be available to the users of your PKI. If the CRL is not available or is stale (has expired) relying systems will start to fail. This can be extremely disruptive and in many environments can lead to a serious incident. For this reason, it is important to have proactive monitoring of your CRLs. CRL Monitor can reduce the risk of CRLs being allowed to go stale by periodically querying your CRLs to check for freshness and availability.

CRL Monitor is a pure .NET console application. Using a list of CRL URIs, CRL Monitor will report the expiration status of each CRL it finds. It provides detailed CSV reports of the CRL information collected; the report format is suitable for importing into other applications such as a spreadsheet or database. While running, CRL Monitor can write CRL details to a DOS command window to provide feedback on its progress. In addition, alerts and a summary report can be sent to one or more email recipients. CRL Monitor can be run manually from a DOS command window or called periodically by the Windows Scheduler.

CRL Monitor Reports

By looking down the ExpiryStatus column of a report, you can quickly get a handle on the status of all your CRLs. You can configure the number of days before CRL expiry the status in the report changes from OK to EXPIRING. The table below describes each of the fields from the report.

Table 1. CRL Report Fields