KB Article #176567

How does SV decide when to download a CRL?

Problem

* How does SV decide when to download a new CRL?

Resolution

-- SV uses the following algorithm to determine what to do:

  1. When request for validation comes, the cache (if enabled) is searched for a CRL for the CA.
  2. If there is no CRL in the cache, it is downloaded from the specified location.
    1. If the current time is less than the CRL expiration (now < nextUpdate), the CRL is used. If the cache is enabled, the CRL is also saved in the cache.
    2. If the retrieved CRL is expired (now > nextUpdate),
      1. If the CRL validity has not been extended (VC_ALLOW_EXPIRED_CRL=0) the CRL is rejected and the next validation method (if configured) is used
      2. Conversely, if we have configured an extended validity period (VC_ALLOW_EXPIRED_CRL>0)
        1. and the current time falls within the extension (now > nextUpate and now < NextUpdate + VC_ALLOW_EXPIRED_CRL), the CRL is used, but it is not cached
        2. if the current time is past the validity extension (now > nextUpdate + VC_ALLOW_EXPIRED_CRL) then the CRL is rejected and the next validation method (if configured) is used.
  3. If there is a CRL in the cache
    1. If the current time is less than the CRL expiration (now < nextUpdate), the CRL in the cache is used
    2. If the CRL in cache is expired (now > nextUpdate) SV tries to download a new CRL.
      1. If the CRL download is successful
        1. If the new CRL is different than the cached CRL, it will go back to step 2, as if there had been no cached CRL.
        2. If the new CRL is the same as the cached CRL (or the LDAP/HTTP server report it is the same (last modified headers), or local file – modified time), SV will perform the actions in step 3.b.ii
      2. If the CRL download is not successful
        1. If there's no extended CRL validity period configured (VC_ALLOW_EXPIRED_CRL=0) the validation fails and the next validation method (if configured) is used
        2. If an extended CRL validity period has been configured (VC_ALLOW_EXPIRED_CRL>0)
          1. and the current time falls within the extension (now > nextUpate and now < NextUpdate + VC_ALLOW_EXPIRED_CRL) the CRL is used.
          2. If the current time is past the validity extension (now > nextUpdate + VC_ALLOW_EXPIRED_CRL) the validation fails and the next validation method (if configured) is used.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.