CRL Endpoint Check Tool

Overview

The CRL Endpoint Check Tool allows users to check health of CRL distribution endpoints in a given keystore. User provides keystore file’s path and password. It iterates through all alias names in the keystore and their certificate hierarchies. For each certificate it first checks whether it contains a CRL endpoint. If there is one, the tool attempts to connect to it and retrieve the CRL. Upon receiving this information, a formatting check is performed and the revocation list’s update time is logged to console. Detailed information on certificates and their CRLs is available in the log files.

Using the CRL Endpoint Check Tool

The CRL Endpoint Check tool resides in the crlendpointchecktool.jar. It is run by the following command:

java -jar crlendpointchecktool.jar --keystore=<keystore-file> --password<keystore-password>

On success you should see a console message similar to:

Listing certificates' CRLs under cordaclientca alias:
 O=PartyA, L=London, C=GB
    Contacting http://localhost:10000/certificate-revocation-list/doorman CRL endpoint...
    - Next update: Fri Jan 10 15:50:13 GMT 2020
    Please re-sign CRL, update deadline has passed
 C=US, L=New York, O=R3 HoldCo LLC, OU=Corda, CN=Test Identity Manager Service Certificate
    Contacting http://localhost:10000/certificate-revocation-list/subordinate CRL endpoint...
    - Next update: Sat Jan 05 10:47:37 GMT 2030
 C=US, L=New York, O=R3 HoldCo LLC, OU=Corda, CN=Test Subordinate CA Certificate
    Contacting http://localhost:10000/certificate-revocation-list/root CRL endpoint...
    - Next update: Sat Jan 05 10:47:37 GMT 2030
 C=US, L=New York, O=R3 HoldCo LLC, OU=Corda, CN=Test Root Certificate
    - No CRL endpoints provided for given certificate
 ------------------------
 Listing certificates' CRLs under identity-private-key alias:
 O=PartyA, L=London, C=GB
    - No CRL endpoints provided for given certificate
 O=PartyA, L=London, C=GB
    Contacting http://localhost:10000/certificate-revocation-list/doorman CRL endpoint...
    - Next update: Fri Jan 10 15:50:13 GMT 2020
    Please re-sign CRL, update deadline has passed
 C=US, L=New York, O=R3 HoldCo LLC, OU=Corda, CN=Test Identity Manager Service Certificate
    Contacting http://localhost:10000/certificate-revocation-list/subordinate CRL endpoint...
    - Next update: Sat Jan 05 10:47:37 GMT 2030
 C=US, L=New York, O=R3 HoldCo LLC, OU=Corda, CN=Test Subordinate CA Certificate
    Contacting http://localhost:10000/certificate-revocation-list/root CRL endpoint...
    - Next update: Sat Jan 05 10:47:37 GMT 2030
 C=US, L=New York, O=R3 HoldCo LLC, OU=Corda, CN=Test Root Certificate
    - No CRL endpoints provided for given certificate
 ------------------------

Was this page helpful?

Thanks for your feedback!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.

We're sorry this page wasn't helpful. Let us know how we can make it better!

Chat with us

Chat with us on our #docs channel on slack. You can also join a lot of other slack channels there and have access to 1-on-1 communication with members of the R3 team and the online community.

Create an issue

Create a new GitHub issue in this repository - submit technical feedback, draw attention to a potential documentation bug, or share ideas for improvement and general feedback.

Propose documentation improvements directly

Help us to improve the docs by contributing directly. It's simple - just fork this repository and raise a PR of your own - R3's Technical Writers will review it and apply the relevant suggestions.