A certificate authority maintains a list of certificates that are revoked or no longer valid called a certificate revocation list (CRL). When a CA adds or removes an entry from the CRL, the CRL needs to be published to those services trusting the CA. When the GAARDS UI is used to revoke a host certificate, GAARDS will send an updateHostCertificateRecord request to Dorian (i.e., the CA). Dorian updates the status of the host certificate, generates a new CRL, and then sends the CRL to the GTS server to be distributed. If the CA is not Dorian, the CA needs to provide its CRL to the GTS server for publication.
Updating a CA's CRL to GTS Example
Below is a programmatic way to publish a CRL to the GTS server. Note: the CRL needs to be signed by the CA. This prevents unauthorized changes to the CRL.