CRL & OCSP Monitoring Guide
Overview
Guide to monitoring CRL distribution points and OCSP responders. Covers automated health checks, expiry alerting, and remediation procedures for revocation infrastructure.
Table of Contents
- Revocation Infrastructure Overview
- CRL Distribution Point Monitoring
- OCSP Responder Health Checks
- Expiry and Freshness Alerting
- Prometheus Metrics for Revocation
- Remediation Procedures
- Testing Revocation Failures
Overview
Revocation infrastructure is the part of PKI that everyone configures once and forgets — until it fails. When a CRL expires or an OCSP responder goes down, the impact depends on client behavior: some fail open (ignoring revocation), others fail closed (blocking all connections). Either way, you have a security or availability problem that’s invisible until it causes real damage.
This guide covers how to proactively monitor both CRL distribution points and OCSP responders. You’ll set up automated checks that verify CRL freshness, OCSP response validity, and responder availability. We include Prometheus-based monitoring configurations alongside simpler cron-based scripts for environments without a full observability stack.
Beyond monitoring, we cover what to do when things break — republishing CRLs, restarting OCSP responders, and communicating with affected service owners.
What You’ll Learn
- How to monitor CRL nextUpdate fields and alert before expiry causes client failures
- OCSP responder health check patterns including response validation and latency monitoring
- Prometheus exporters and custom metrics for revocation infrastructure observability
- Automated remediation scripts for common CRL publication failures
- Testing procedures to verify client behavior when revocation services are unavailable
- Incident response playbooks for CRL expiry and OCSP responder outages