Certificate Revocation List (CRL) Locations

A Certificate Revocation List (CRL) is a file that lists all invalid and revoked certificates for a specific Certificate Authority (CA).

CA's periodically update their CRLs and make them available for others to publish in Lightweight Directory Access Protocol (LDAP) directories. A few CAs, such as SSH in Finland, publish the CRL themselves in LDAP directories that you can access directly. If a CA publishes their own CRL, the certificate indicates this by including a CRL distribution point extension in the form of a Uniform Resource Identifier (URI).

Digital Certificate Manager (DCM) allows you to define and manage CRL location information to ensure more stringent authentication for certificates that you use or you accept from others. A CRL location definition describes the location of, and access information for, the Lightweight Directory Access Protocol (LDAP) server that stores the CRL.

Start of changeWhen connecting to an LDAP server you need to supply a DN and password to avoid anonymously binding to an LDAP server. Binding anonymously to the server does not provide the level of authority needed to access a "critical” attribute such as the CRL. In such a case, DCM may validate a certificate with a revoked status because DCM is unable to obtain the correct status from the CRL. If you want to access the LDAP server anonymously, you need to use the Directory Server Web Administration Tool and select the "Manage schema" task to change the security class (also referred to as "access class") of the certificateRevocationList and authorityRevocationList attributes from "critical" to "normal".End of change

Applications that perform certificate authentication access the CRL location, if one is defined, for a specific CA to ensure that the CA has not revoked a specific certificate. DCM allows you to define and manage the CRL location information that applications need to perform CRL processing during certificate authentication. Examples of applications and processes that may perform CRL processing for certificate authentication are: the virtual private networking (VPN) Internet Key Exchange (IKE) server, Secure Sockets Layer (SSL) enabled-applications, and the object signing process. Also, when you define a CRL location and associate it with a CA certificate, DCM performs CRL processing as part of the validating process for certificates that the specified CA issues. .

Related concepts
Validate certificates and applications
Related tasks
Manage CRL locations