ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahucertrevlist.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Certificate Revocation List (CRL) Locations" />
<meta name="abstract" content="A Certificate Revocation List (CRL) is a file that lists all invalid and revoked certificates for a specific Certificate Authority (CA)." />
<meta name="description" content="A Certificate Revocation List (CRL) is a file that lists all invalid and revoked certificates for a specific Certificate Authority (CA)." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4abunderstanddc.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahucrl2managecrls.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahuvalidatecertsapps.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahucrl_cert_rev_list" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Certificate Revocation List (CRL) Locations</title>
</head>
<body id="rzahucrl_cert_rev_list"><a name="rzahucrl_cert_rev_list"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Certificate Revocation List (CRL) Locations</h1>
<div><p>A Certificate Revocation List (CRL) is a file that lists all invalid
and revoked certificates for a specific Certificate Authority (CA).</p>
<p>CA's periodically update their CRLs and make them available
for others to publish in Lightweight Directory Access Protocol (LDAP) directories.
A few CAs, such as SSH in Finland, publish the CRL themselves in LDAP directories
that you can access directly. If a CA publishes their own CRL, the certificate
indicates this by including a CRL distribution point extension in the form
of a Uniform Resource Identifier (URI).</p>
<p> Digital Certificate Manager (DCM) allows you to define and manage CRL
location information to ensure more stringent authentication for certificates
that you use or you accept from others. A CRL location definition describes
the location of, and access information for, the Lightweight Directory Access
Protocol (LDAP) server that stores the CRL.</p>
<p><img src="./delta.gif" alt="Start of change" />When connecting to an LDAP server you need to supply a DN and
password to avoid anonymously binding to an LDAP server. Binding anonymously
to the server does not provide the level of authority needed to access a "critical”
attribute such as the CRL. In such a case, DCM may validate a certificate
with a revoked status because DCM is unable to obtain the correct status from
the CRL. If you want to access the LDAP server anonymously, you need to use
the Directory Server Web Administration Tool and select the "Manage schema"
task to change the security class (also referred to as "access class") of
the <span class="uicontrol">certificateRevocationList</span> and <span class="uicontrol">authorityRevocationList</span> attributes
from "critical" to "normal".<img src="./deltaend.gif" alt="End of change" /></p>
<p>Applications that perform certificate authentication access the CRL location,
if one is defined, for a specific CA to ensure that the CA has not revoked
a specific certificate. DCM allows you to define and manage the CRL location
information that applications need to perform CRL processing during certificate
authentication. Examples of applications and processes that may perform CRL
processing for certificate authentication are: the virtual private networking
(VPN) Internet Key Exchange (IKE) server, Secure Sockets Layer (SSL) enabled-applications,
and the object signing process. Also, when you define a CRL location and associate
it with a CA certificate, DCM performs CRL processing as part of the validating
process for certificates that the specified CA issues. .</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4abunderstanddc.htm" title="View this information to better understand what digital certificates are and how they work. Learn about the different types of certificates and how you can use them as part of your security policy.">DCM concepts</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahurzahuvalidatecertsapps.htm" title="You can use Digital Certificate Manager (DCM) to validate individual certificates or the applications that use them. The list of things that DCM checks differs slightly depending on whether you are validating a certificate or an application.">Validate certificates and applications</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzahurzahucrl2managecrls.htm" title="Digital Certificate Manager (DCM) allows you to define and manage Certificate Revocation List (CRL) location information for a specific Certificate Authority (CA) to use as part of the certificate validation process.">Manage CRL locations</a></div>
</div>
</div>
</body>
</html>