Previous Topic: Certificate Authority (CA) Certificate UsageNext Topic: Check Certificate Validity with OCSP


Check Certificate Validity with CRLs

A Certificate Revocation List (CRL) is issued by a Certificate Authority to its subscribers. The list contains serial numbers of certificates that are invalid or have been revoked. When a request to access a server is received, the server allows or denies access based on the CRL.

CA SiteMinder® federation can leverage CRLs for its certificate functions. For CA SiteMinder® to use a CRL, the certificate data store must point to a current CRL. If CA SiteMinder® tries using a revoked partner certificate, you see an error message. For legacy federation, the error message is in the SAML assertion. The message indicates that authentication failed.

Note: Federation features implement the use of CRLs differently than CA SiteMinder® X.509 authentication schemes. The authentication schemes use an independent LDAP directory that stores CRLs. The authentication schemes do not use the certificate data store.

CA SiteMinder® supports the following CRL features:

CA SiteMinder® does not validate an SSL server certificate against a CRL. The web server where the CA SiteMinder® web agent is installed manages the SSL server certificate.

You are not required to have a CRL for each root CA in the system. If there is no CRL for the root CA, CA SiteMinder® assumes that all certificates signed by that CA are trusted certificates.

Add a CRL for Certificate Management

Help ensure that only valid certificates are used for PKI functions by using CRLs. Verify the validity of certificates against a CRL.

Important! CA SiteMinder® explicitly requests LDAP CRLs in binary encoding. Additionally, CRL data must be stored in the LDAP attribute named certificateRevocationList;binary or authorityRevocationList;binary. When a Certificate Authority (CA) publishes an LDAP CRL, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523. Otherwise, CA SiteMinder® cannot use it.

For CA SiteMinder® to use a CRL, the CRL location is required.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, X509 Certificate Management, Certificate Validity.

    A revocation list is displayed.

  3. Click Add.

    The Configure Revocation List dialog opens.

    Note: You can click Help for a description of fields, controls, and their respective requirements.

  4. Specify an alias for the CRL and the location (URL) of the certificate revocation list.

    The location has to be a file path for a file CRL and an LDAP search path for an LDAP CRL.

  5. Click Save.

The CRL is added to the certificate data store.

Update a CRL

Update a CRL to verify that the certificate data in use is current.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, X509 Certificate Management, Certificate Validity.

    A revocation list is displayed.

  3. Delete a CRL from the list.
  4. Do one of the following steps to add a CRL: