A Certificate Revocation List (CRL) is issued by a Certificate Authority to its subscribers. The list contains serial numbers of certificates that are invalid or have been revoked. When a request to access a server is received, the server allows or denies access based on the CRL.
Federation can leverage CRLs for its certificate functions. For CA SiteMinder® to use a CRL, the certificate data store must point to a current CRL. If CA SiteMinder® tries using a revoked partner certificate, you see an error message. For legacy federation, the error message is in the SAML assertion. The message indicates that authentication failed.
Note: Federation features implement the use of CRLs differently than X.509 authentication schemes. The authentication schemes use an independent LDAP directory that stores CRLs. The authentication schemes do not use the certificate data store.
CA SiteMinder® supports the following CRL features:
CA SiteMinder® stores CRLs in the certificate data store. File-based CRLs must be in Base64 or binary encoding. LDAP CRLs must be in binary encoding. Additionally, LDAP CRLs must include CRL data in one of the following attributes:
When a Certificate Authority publishes an LDAP CRL, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523. Otherwise, CA SiteMinder® cannot use it.
CA SiteMinder® does not validate an SSL server certificate against a CRL. The web server where the CA SiteMinder® web agent is installed manages the SSL server certificate.
You are not required to have a CRL for each root CA in the system. If there is no CRL for the root CA, it is assumed that all certificates signed by that CA are trusted certificates.
Help ensure that only valid certificates are used for PKI functions by using CRLs. Verify the validity of certificates against a CRL.
Important! CA SiteMinder® explicitly requests LDAP CRLs in binary encoding. Additionally, CRL data must be stored in the LDAP attribute named certificateRevocationList;binary or authorityRevocationList;binary. When a Certificate Authority (CA) publishes an LDAP CRL, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523. Otherwise, CA SiteMinder® cannot use it.
The CRL location is required to use a CRL.
Follow these steps:
The Configure Revocation List dialog opens.
The location has to be a file path for a file CRL and an LDAP search path for an LDAP CRL.
The CRL is added to the certificate data store.
Update a CRL to verify that the certificate data in use is current.
Follow these steps:
Copyright © 2014 CA.
All rights reserved.
|
|