---
checkId: check.timestamp.crl.distribution
plugin: stellaops.doctor.timestamping
severity: warn
tags: [timestamping, crl, distribution, revocation]
---
# CRL Distribution Point Availability

## What It Checks
Checks that configured CRL distribution points are accessible. The check:

- Gets configured CDPs from the registry.
- Sends a HEAD request to each CDP URL with a 30-second timeout.
- Reports response status, latency, and CRL size (from Content-Length).
- Fails if all CDPs are unavailable. Warns if some are unavailable.
- Passes (healthy) if no CDPs are configured (optional feature).

## Why It Matters
CRL distribution points provide certificate revocation lists needed to verify that TSA certificates have not been revoked. If CDPs are unavailable, the system cannot download updated CRLs, potentially accepting timestamps from revoked certificates.

## Common Causes
- CRL distribution point server is down
- Network connectivity issues
- Firewall blocking HTTP/HTTPS to CDP URLs
- CDP URL changed by the CA

## How to Fix

### Docker Compose
```bash
docker exec <platform-container> curl -I http://crl.example.com/crl.pem
```

### Bare Metal / systemd
```bash
# Test CDP connectivity
curl -I http://crl.example.com/crl.pem

# Check network and DNS
nslookup crl.example.com
```

### Kubernetes / Helm
Ensure egress NetworkPolicies allow traffic to CRL distribution point URLs.

## Verification
```
stella doctor run --check check.timestamp.crl.distribution
```

## Related Checks
- `check.timestamp.ocsp.responder` — checks OCSP responder availability
- `check.timestamp.revocation.cache-fresh` — checks revocation cache freshness