Certificate status checking
PKIaaS provides the following certificate status-checking functions.
Entrust PKIaaS Certificate Revocation Lists
PKIaaS publishes Certificate Revocation Lists (CRLs) with the following settings.
| CRL setting | Value |
|---|---|
| CRL validity | 7 days |
| CRL extensions | crlNumber, invalidityDate, expiredCertsOnCRL |
| Signing key | CA key |
| CRL type | full CRL |
| Size limit | 22 MB |
| CA type | root and issuing CAs |
PKIaaS can issue CRLs in the following modes.
| Mode | Period |
|---|---|
| Automatic | Every 24 hours |
| Include the “publish now” option on revocation requests to the API | Within 15 minutes of receiving the request |
| Revoke an end-entity certificate using the PKIaaS UI or the Entrust Certificate Enrollment Gateway (CEG) | Within 15 minutes of the revocation |
PKIaaS publishes CRLs at the following URLs.
| Region | URL |
|---|---|
| US | http://crl.PKIaaS.entrust.com/crl/{accountId}/{caId}/crl.crl |
| EU | http://crl.eu.PKIaaS.entrust.com/crl/{accountId}/{caId}/crl.crl |
| PQ Lab | http://crl.pqlab.PKIaaS.entrust.com/crl/{accountId}/{caId}/crl.crl |
Where {accountId} corresponds to your account identifier, and {caId} to the certificate authority identifier.
Entrust PKIaaS OCSP service
The Online Certificate Status Protocol (OCSP) supports:
- Nonce extension
- Archive Cutoff extension
- Multiple OCSP certificates per request
- Signed/Unsigned requests
- Delegated keys
- OCSP may be configured for both roots and issuing CAs
OCSP services are available at the following URLs.
| Region | URL |
|---|---|
| US | http://ocsp.PKIaaS.entrust.com/ocsp/{accountId}/{caId} |
| EU | http://ocsp.eu.PKIaaS.entrust.com/ocsp/{accountId}/{caId} |
| PQ Lab | http://ocsp.pqlab.PKIaaS.entrust.com/ocsp/{accountId}/{caId} |
Where {accountId} is your account identifier, and {caId} is the certificate authority identifier.