CRL OCSP Monitor
Products

CRL OCSP Monitor

Category:
Revocation Monitoring & PKI Availability

Overview

Unsung's partnership with Krestfield extends beyond certificate lifecycle management to the CRL OCSP Monitor, a dedicated tool for monitoring the health and availability of certificate revocation services. As a Value-Added Solutions Provider, we help clients close one of the most common and least visible causes of PKI outages: the failure or expiry of the revocation infrastructure that certificate validation depends on.

The Challenge

Certificate validation does not end with the certificate itself. Relying systems check whether a certificate has been revoked, using either a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP). If those revocation services expire, become unreachable, or begin returning incorrect responses, certificates that are otherwise valid start to fail validation, and the systems that depend on them stop working.

The difficulty is that these failures are often invisible until they cause an outage. A CRL issued with a five-day lifetime but renewed every 48 hours will continue to be accepted for several days after the renewal process quietly fails, so no one notices until it expires and validation breaks across the estate. Monitoring only whether an OCSP endpoint is reachable is not enough, because an endpoint that responds can still be returning the wrong answer. For organisations using certificate-based authentication, the impact is immediate and widespread: users unable to connect, services unable to communicate, and an incident whose root cause began hours or days earlier.

What It Does

  • Detailed revocation monitoring. The tool monitors CRL distribution points and OCSP responders in detail, tracking not just availability but the correctness of the responses returned, so misconfigurations are caught before they affect operations.
  • Response validation. All OCSP response types, including Good, Revoked, Unknown, and Error, can be configured and checked, confirming that endpoints return the correct status rather than simply responding.
  • Early expiry alerting. The tool alerts on the upcoming expiry of CRLs and OCSP signing certificates, giving teams time to act before validation is affected rather than reacting to an outage after the fact.
  • Concurrent monitoring. Multiple CRL endpoints and OCSP servers can be monitored at the same time, including both an organisation's own revocation services and any external ones its systems depend on.
  • Additional checks. Access times, CRL file sizes, and other operational indicators can be monitored, helping identify network or performance issues alongside expiry and availability.

How Unsung Helps

We help clients identify where revocation checking sits in their environment, which internal and external endpoints their systems rely on, and where the gaps in monitoring are. We then design and implement CRL OCSP Monitor to provide continuous assurance over those services, integrating it into existing operational processes so alerts reach the right people in time to act. This work complements our wider certificate lifecycle management and PKI health check services, where revocation availability is assessed as part of the overall resilience of the PKI estate.