stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
b7fc87893ce74e8df5d0e560bc25dae36fd28da7
git.stella-ops.org/docs/doctor/articles/timestamping/crl-distribution.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

1.6 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.timestamp.crl.distribution stellaops.doctor.timestamping warn
timestamping
crl
distribution
revocation

CRL Distribution Point Availability

What It Checks

Checks that configured CRL distribution points are accessible. The check:

  • Gets configured CDPs from the registry.
  • Sends a HEAD request to each CDP URL with a 30-second timeout.
  • Reports response status, latency, and CRL size (from Content-Length).
  • Fails if all CDPs are unavailable. Warns if some are unavailable.
  • Passes (healthy) if no CDPs are configured (optional feature).

Why It Matters

CRL distribution points provide certificate revocation lists needed to verify that TSA certificates have not been revoked. If CDPs are unavailable, the system cannot download updated CRLs, potentially accepting timestamps from revoked certificates.

Common Causes

  • CRL distribution point server is down
  • Network connectivity issues
  • Firewall blocking HTTP/HTTPS to CDP URLs
  • CDP URL changed by the CA

How to Fix

Docker Compose

docker exec <platform-container> curl -I http://crl.example.com/crl.pem

Bare Metal / systemd

# Test CDP connectivity
curl -I http://crl.example.com/crl.pem

# Check network and DNS
nslookup crl.example.com

Kubernetes / Helm

Ensure egress NetworkPolicies allow traffic to CRL distribution point URLs.

Verification

stella doctor run --check check.timestamp.crl.distribution

Related Checks

  • check.timestamp.ocsp.responder — checks OCSP responder availability
  • check.timestamp.revocation.cache-fresh — checks revocation cache freshness