For more information regarding Certificate Issuance Lists (CILs), see Certificate Issuance List - CIL.
When a CIL provider retrieves a CIL, Nexus OCSP Responder will do the following:
- Parse the CIL and check for unsupported extensions.
- Retrieve the certificate for the CIL issuer by use of the certificate cache.
- Verify the signature of the CIL by use of the public key in the CIL issuer certificate.
- Validate that the CIL is issued before current system time and check that the time for next update is not yet passed.
- Update the CIL cache with the verified CIL.