Auto-update, Force periodic update, Related cli commands – HP Secure Key Manager User Manual

certificates revoked by local CAs. The format of CRLs exported by the SKM is in PEM-encoded X.509

format.

Auto-Update

Each CA promises to update its CRL at the day and time specified in the Next Update field for that

CA. When you enable the Auto–Update feature, at 5:00 AM every day the SKM inspects the Next

Update value for the CRL associated with each CA on the SKM. For CRLs whose Next Update time is in

the past, the SKM attempts to connect to the CRL distribution point (CDP) for the CA to download the

updated CRL. If the download was successful, the Next Update field for that CA is changed to the

new update time contained in the newly-downloaded CRL. If the Next Update value for that CRL is in

the future, the SKM waits until that specified time to attempt to connect to the CDP and download the

updated CRL. For example:
There is a CA named XYZ that has a CRL Next Update time of Oct 20 01:00:00 2002 (1:00 AM). The

administrator has enabled CRL auto-updates on the SKM. At 5:00 AM on Oct 20, the SKM checks the

Next Update times for all of the CAs. When it gets to CA XYZ, it will notice that the Next Update time

was in the past (4 hours ago), and it will attempt to download an updated CRL from the appropriate CDP.
If the CRL download was successful, the Next Update field for that CA is changed to the new update

time contained in the downloaded CRL.
Should the CRL download fail, the SKM continues using the old CRL, and it tries again each day to

download the updated CRL at the normal 5:00 AM auto-update time.
The Auto-Update feature is a global setting. If you want to disable Auto-Update for a particular CA, you

can use the crl settings command to set the Next Update value to a time in the distant future.

NOTE:

The Auto-Update feature does not apply to local CAs.

Force Periodic Update

The SKM performs a daily check of the Next Update field to determine whether it should attempt to

update the CRL for a particular CA. If you are not satisfied with a daily check of the Next Update field or

if it is possible that the CA incorrectly set the Next Update field in the CRL, you can use the optional Force

Periodic Update parameter to instruct the SKM to download updated CRLs at an interval you specify.
It is important to note that when you specify a value for the Force Periodic Update parameter, the SKM

does not stop making daily checks of the Next Update field. For example, if you set the Force Periodic

Update parameter to 10800 minutes (one week), the SKM continues to check the Next Update field on a

daily basis to see if it is necessary to download an updated CRL. In addition, the SKM downloads the

CRL from the CDP according to the value you specify in the Force Periodic Update parameter.
The Force Periodic Update parameter supports values between 5 and 525600 minutes (one year). Values

must be a multiple of 5; if you enter a number that is not a multiple of 5, the value is rounded down to the

closest multiple of 5. For example, if you enter a value of 12, the value will be rounded down to 10.

NOTE:

The Force Periodic Update parameter is not available for local CAs.

Related CLI Commands

Configuration of the SKM to work with CRLs is done exclusively from the Command Line Interface. See

CRL Commands

for the appropriate commands.

154

Using the Management Console