Add a CRL to the CDS

Federation Manager Guide › Key and Certificate Management to Secure Federation Messages › How to Verify that Certificates are Valid Using CRLs › Add a CRL to the CDS

Add a CRL to the CDS

Ensure that only valid certificates are being used for federation-related PKI functions by using CRLs against which certificates can be checked.

Important! Federation Manager explicitly requests LDAP CRLs in binary transfer encoding, using the certificateRevocationList;binary LDAP attribute. This means that the CRL data must be stored in this attribute. When a Certificate Authority (CA) publishes a CRL using the LDAP protocol, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523.

For Federation Manager to use a CRL, specify the CRL location.

Follow these steps:

Go to the Certs and Keys tab.
Select the Revocation Lists (CRL).
The list of available CRL locations is displayed.
Click Add.
The Add Certificate Revocation List is displayed.

Note: You can click Help for a description of fields, controls, and their respective requirements.
Specify an alias for the issuer of the CRL and the location (URL) of the certificate revocation list.
The location has to be a file path for a file CRL and an LDAP search path for an LDAP CRL.
Click Save.

The CRL is now added to the certificate data store.