|
|
|
A Certificate Revocation List (CRL) is issued by a Certificate Authority to its subscribers. The list contains serial numbers of certificates that are invalid or have been revoked. When a request to access a server is received, the server allows or denies access based on the CRL.
If you are using CRLs, the key database must point to a current CRL to help Federation Manager enforce secure access. If Federation Manager tries using a revoked partner certificate, you see an error message.
You are not required to have a CRL for each root CA in the system. If there is no CRL for the root CA, Federation Manager assumes that all certificates signed by that CA are trusted certificates.
The Federation Manager key database accepts file-based CRLs in Base64 or binary encoding and LDAP CRLs in binary encoding. If you plan to use LDAP CRLs, Federation Manager explicitly requests LDAP CRLs in binary transfer encoding, using the certificateRevocationList;binary LDAP attribute, that is, the CRL data must be stored in this attribute. When a Certificate Authority (CA) publishes a CRL using the LDAP protocol, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523.
To add and maintain a CRL, use the Federation Manager UI.
Note: This release of Federation Manager does not support the Online Certificate Status Protocol (OCSP).
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |