3.1.5.2 CRL Publication Retry Timer Events
When the CRL Publication Retry Timer reaches its timeout value, the CA MUST attempt to republish CRLs using the following steps.
The CA evaluates the ADM element OnNextRestart_Config_CA_CRL_Attempt_Republish, and if its value equals or exceeds 10, the CA does not execute the logic in this section. Rather, CRL creation and publishing will occur again when either the Base CRL Next Publish Timer (section 3.1.2.1.1) or the Delta CRL Next Publish Timer (section 3.1.2.1.2) reaches its next timeout value, whichever occurs first.
The CA increments the ADM elements Config_CA_CRL_Attempt_Republish and OnNextRestart_Config_CA_CRL_Attempt_Republish by 1.
The CA examines the CRL table row(s) corresponding to the most recent base and, if enabled, delta CRLs, for all CA keys. For each found CRL table row:
The CA reattempts publishing of that CRL to all Config_CA_CDP_Publish_To_Base or Config_CA_CDP_Publish_To_Delta CRL publishing locations as applicable, and, following this attempt, update the following data elements in the corresponding CRL table row:
CRL_Publish_Status_Code: Use the same logic as in section 3.1.4.1.6, rule 11.
CRL_Publish_Error: If this element is present, update it as follows: If the retry is not successful, preserve the existing username and CRL location information in the data element and append username and CRL location information for the current failed retry. If the retry is successful, preserve the username information, append the username information for the current, successful retry, and remove the CRL location information for previous failed publishing attempts.
Once publishing is successful, the Microsoft CA removes any existing CRL publishing location indices from each line of username information. If republishing is not successful, the Microsoft CA preserves the existing username and CRL location index information, up to and including the line feed after the last line of user information, and adds a new line containing user name followed by a space, two hyphens, and the numeric index of the CRL publishing location to which publication failed upon the current retry. If more than one location fails for one CRL table entry upon retry, then the index of each failed location is appended to this line, separated by spaces.
The example following illustrates the contents of CRL_Publish_Error on a Microsoft CA after three publishing attempts, the first and second of which failed when writing to an LDAP path, and the third was successful. The first attempt was initiated in the user context of Administrator, and in the second and third attempts in the context of the CA:
"Published by CORP\Administrator -- 0{linefeed}
- -- 0{linefeed}
-{linefeed}
{linefeed}
ldap:///CN=CA1,CN=host1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com"
CRL_Publish_Attempts: If this element is present, increment its value by 1.
CRL_Last_Published: If this element is present, update its value to the current time.
If all CRL publishing retry attempts are successful, the CA resets the data elements Config_CA_CRL_Attempt_Republish and OnNextRestart_Config_CA_CRL_Attempt_Republish back to 0 and set the Base and Delta CRL Next Publish Timers as follows: set the Base CRL Next Publish Timer to the value of the CRL_Next_Publish of the base CRL that was just published, and set the Delta CRL Next Publish Timer to the value of the CRL_Next_Publish of the delta CRL that was just published. Otherwise, reset the value of the CRL Publication Retry Timer specified in section 3.1.2.2.