CCADB Update: Support multiple full CRL URLs and other enhancements

[Chris Clements]

All,

On March 20, 2026, the CCADB will be updated to support multiple full CRL URLs, among other things described in detail below.

The CCADB will be unavailable to CA Owners from March 19, 2026, at approximately 08:00PM PT, until March 20, 2026, at approximately 10:00AM PT.

The new functionality should:

• Add a new editable `JSON Array of all Full CRL URLs` field to certificate records that allows for a JSON array whose elements are the set of distinct full CRLDP URLs appearing in time-valid certificates issued by the CA. The existing `Full CRL Issued By This CA` field will become read only and will automatically convey the first URL presented in the new `JSON Array of all Full CRL URLs` field. Validation for these CRL related fields will enforce proper JSON array formatting. The ‘JSON Array of All Full CRL URLs’ field previously included the word ‘expired’ when a certificate was expired and ‘revoked’ when a certificate was revoked. However, after this release, these terms will no longer be reflected.
• Update the AddUpdateIntermediateCertAPI to support the new `JSON Array of all Full CRL URLs` field and depreciate `Full CRL Issued By This CA`.
• Add new `Automation Solution Attestation` and `Public Test Infrastructure URL` fields for root certificate records; these fields can be updated via the "Add/Update Root Request" case UI. 
• Add an `Apple Root Program Policy Agreement` field to the Apple tab of the “Root Inclusion Request” case UI.
• Introduce a short time delay when saving certificate record information to help avoid creating multiple identical Non-Audit Document records.
• Update the `Subordinate CA Owner` tooltip to align with CCADB Policy Version 2.1.

During this update, values from the existing `Full CRL Issued By This CA` field will populate the new `JSON Array of all Full CRL URLs` field. CA Owners do not need to take action during the update. Once the update is complete, CA Owners will be responsible for maintaining the values for the `JSON Array of all Full CRL URLs` and `JSON Array of Partitioned CRL URLs`.

We will send a copy of this message to all CA Owners in the CCADB and plan to send another message here upon completing the update.

Thank you
-Chris, on behalf of the CCADB Steering Committee

[Chris Clements]

All,

The CCADB update to support multiple full CRL URLs (among other items) is now complete. CA Owner access to the CCADB has been restored.

This update:

• Added a new editable `JSON Array of all Full CRL URLs` field to certificate records that allows for a JSON array whose elements are the set of distinct full CRLDP URLs appearing in time-valid certificates issued by the CA. The existing `Full CRL Issued By This CA` field is now read only and automatically conveys the first URL presented in the new `JSON Array of all Full CRL URLs` field. Validation for these CRL related fields will enforce proper JSON array formatting. The ‘JSON Array of All Full CRL URLs’ field previously included the word ‘expired’ when a certificate was expired and ‘revoked’ when a certificate was revoked. However, these terms are no longer reflected. The Field Types and Valid Values page on ccadb.org was updated.
• Updated the AddUpdateIntermediateCertAPI readme to support the new `JSON Array of all Full CRL URLs` field and deprecated `Full CRL Issued By This CA`.
• Added new `Automation Solution Attestation` and `Public Test Infrastructure URL` fields for root certificate records; these fields can be updated via the "Add/Update Root Request" case UI.
• Added an `Apple Root Program Policy Agreement` field to the Apple tab of the “Root Inclusion Request” case UI.
• Introduced a short time delay when saving certificate record information to help avoid creating multiple identical Non-Audit Document records.
• Updated the `Subordinate CA Owner` tooltip to align with CCADB Policy Version 2.1.

During this update, values from the existing `Full CRL Issued By This CA` field were used to populate the new `JSON Array of all Full CRL URLs` field. CA Owners are responsible for maintaining the values for the `JSON Array of all Full CRL URLs` and `JSON Array of Partitioned CRL URLs` going forward.

Please continue to contact CCADB Support (sup...@ccadb.org) with any questions regarding the CCADB.

Thank you
-Chris, on behalf of the CCADB Steering Committee

[Andrew Ayer]

Hi Chris,

Will the All Certificate Information CSV report be updated to include the "JSON Array of all Full CRL URLs" field?

Regards,
Andrew

[Chris Clements]

Hi Andrew, 

We were not planning to, but we probably could if you think it adds value. Do you see it being useful? 

Thanks

-Chris

--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/20260320165239.a77014ac0ab51b7e96d76358%40andrewayer.name.

[Andrew Ayer]

On Fri, 20 Mar 2026 16:59:24 -0400
Chris Clements <ccle...@google.com> wrote:

> We were not planning to, but we probably could if you think it adds
> value. Do you see it being useful?

Hi Chris,

For CRL Watch, I would download all of the URLs to make sure they're all accessible and returning the same content.

Regards,
Andrew

[Chris Clements]

Understood. We'll plan an update to the report and communicate here on pub...@ccadb.org once it's ready.

Thanks for asking!

-Chris

--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.

To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/20260320170359.fad6c3fc042c80defec44ec6%40andrewayer.name.