A certificate validation service (CVS) provides certificate validation using revocation checking with the Online Certificate Status Protocol (OCSP) or the Server-based Certificate Validation Protocol (SCVP) for all aspects of validation checking, as shown in Figure 1. Complete certificate validation requires that the certificate is issued from a trusted source, which requires building a validated chain of intermediate certificates up to a trusted root by checking all of their digital signatures. The certificate must be within its validity period, within its appropriate usage, and not revoked.
Figure 1 - An example of a CVS providing certificate revocation status.
A CVS consumes CRLs containing serial numbers of all the certificates that are revoked. When provided with a particular certificate or group of serials, the CVS responds with good, bad, or unknown. The CVS signs individual responses and can validate certificates referencing stale CRLs while notifying administrators of the situation.
An organization normally uses certificates throughout the enterprise that must be validated. Some applications normally stop working if a required CRL is expired. Others will time out and continue to operate. In either case, there is uncertainty as to how an enterprise will be impacted when CRL failures occur. A CVS that signs responses mitigates CRL failures and provides increased network performance as individual applications do not need to download CRLs separately.