If the Entrust Certificate Authority or CRL server is hosted in the same data center as the Validation Authority, and that data center fails, the Validation Authority deployment in the remaining data center continues to return valid OCSP responses. The thisUpdate field in these responses reflects the last time Validation Authority successfully retrieved revocation status information.
If Entrust Certificate Authority or the CRL server takes an extended time to recover and Validation Authority is unable to refresh the revocation data, some clients may begin rejecting the OCSP responses, considering the thisUpdate value is too old.
It is the customer's responsibility to restore Entrust Certificate Authority or the CRL server in a working data center following the appropriate disaster recovery procedures for that service, and to reconfigure the Validation Authority deployments if the restored service is accessible at a different URL.