Policy Server Guides › Policy Server Configuration Guide › Key and Certificate Management › Check Certificate Validity with CRLs

Check Certificate Validity with CRLs

A Certificate Revocation List (CRL) is issued by a Certificate Authority to its subscribers. The list contains serial numbers of certificates that are invalid or have been revoked. When a request to access a server is received, the server allows or denies access based on the CRL.

Federation can leverage CRLs for its certificate functions. For CA SiteMinder® to use a CRL, the certificate data store must point to a current CRL. If CA SiteMinder® tries using a revoked partner certificate, you see an error message. For legacy federation, the error message is in the SAML assertion. The message indicates that authentication failed.

Note: Federation features implement the use of CRLs differently than X.509 authentication schemes. The authentication schemes use an independent LDAP directory that stores CRLs. The authentication schemes do not use the certificate data store.

CA SiteMinder® supports the following CRL features:

• File-based CRLs or LDAP CRLs

  CA SiteMinder® stores CRLs in the certificate data store. File-based CRLs must be in Base64 or binary encoding. LDAP CRLs must be in binary encoding. Additionally, LDAP CRLs must include CRL data in one of the following attributes:

  • certificateRevocationList;binary
  • authorityRevocationList;binary

  When a Certificate Authority publishes an LDAP CRL, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523. Otherwise, CA SiteMinder® cannot use it.

• PEM and DER encoding formats for a file CRL
• DER encoding format for an LDAP CRL

CA SiteMinder® does not validate an SSL server certificate against a CRL. The web server where the CA SiteMinder® web agent is installed manages the SSL server certificate.

You are not required to have a CRL for each root CA in the system. If there is no CRL for the root CA, it is assumed that all certificates signed by that CA are trusted certificates.

Add a CRL for Certificate Management

Help ensure that only valid certificates are used for PKI functions by using CRLs. Verify the validity of certificates against a CRL.

Important! CA SiteMinder® explicitly requests LDAP CRLs in binary encoding. Additionally, CRL data must be stored in the LDAP attribute named certificateRevocationList;binary or authorityRevocationList;binary. When a Certificate Authority (CA) publishes an LDAP CRL, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523. Otherwise, CA SiteMinder® cannot use it.

The CRL location is required to use a CRL.

Follow these steps:

1. Log in to the Administrative UI.
2. Select Infrastructure, X509 Certificate Management, Certificate Validity.
3. Click Add.

   The Configure Revocation List dialog opens.

4. Specify an alias for the CRL and the location (URL) of the certificate revocation list.

   The location has to be a file path for a file CRL and an LDAP search path for an LDAP CRL.

5. Click Save.

The CRL is added to the certificate data store.

Update a CRL

Update a CRL to verify that the certificate data in use is current.

Follow these steps:

1. Log in to the Administrative UI.
2. Select Infrastructure, X509 Certificate Management, Certificate Validity.
3. Delete a CRL from the list.
4. Do one of the following steps to add a CRL:
   • Click Add and complete the settings for the new CRL file or LDAP location. Click Save.
   • Navigate back to the Certificate Management dialog. Specify a value for the Default CRL Update Period setting. At the time of the next CRL update, the certificate data store automatically goes to the configured file or LDAP location and reloads the CRL.