|
|
|
A Certificate Revocation Lists (CRL) is issued by a Certificate Authority to its subscribers. The list contains the serial numbers of subscribers whose digital certificates have been revoked. When a user attempts to access a server, the server allows or denies access based on the CRL entry.
The smkeydatabase needs to point to a current CRL for each root CA certificate to help the Policy Server enforce secure access. To add and maintain a CRL in the smkeydatabase, a series of command options are available with smkeytool utility, which is used to modify the smkeydatabase.
If you are using CRLs, you need to specify the location of a CRL for the smkeydatabase. Updating a CRL differs depending on the CRL type. To update a certificate file, you have to point the smkeydatabase to the most updated file. For LDAP CRLs, once the location of the list is specified, the server administrator can configure the list to be updated automatically.
Note: The CRL feature for the smkeydatabase has no relationship to the SiteMinder client certificate authentication scheme. Federation CRL features must be configured on their own.
The CRL feature for the smkeydatabase supports the following:
The CRL feature does not support the Online Certificate Status Protocol (OCSP).
You can add a CRL to the smkeydatabase using smkeytool.
To add a CRL to the smkeydatabase
Example:
smkeytool -addRevocationInfo -issueralias verisignca -type filecrl -location c:\crls\verisign_root_ca.crl
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |