Previous Topic: Confirm the Validity of Certificates

Next Topic: Configure Certificate Revocation List Checking

Certificate Revocation List Checking

A certificate revocation list (CRL) is a list of revoked X.509 client certificates published by the Certificate Authority (CA) to an LDAP user directory. Comparing certificates against CRLs is one method of ensuring that certificates are valid.

Note: The Policy Server can support CRLs greater than 1.7 MB in size, but cannot verify the status of a certificate using a Certificate Revocation List (CRL) that is larger than 64 KB. This limit is due to the third party libraries that are used to parse CRLs.

SiteMinder compares certificates against CRLs stored in an LDAP directory. SiteMinder verifies the signature of the CRL by retrieving the CA public certificate from the LDAP directory. SiteMinder supports the following RSA algorithms for signature verification:

CA administrators must keep CRLs up to date. If SiteMinder retrieves an expired CRL, all certificates from the CA with the expired CRL will be denied access. If multiple CRLs exist, SiteMinder will search for and use the most recent CRL. If a CA's public certificate is not available or your CRL is signed with an unsupported algorithm, you can turn off signature checking during the CRL verification process.

Note: If signature checking is turned off, make sure that the LDAP directory is protected appropriately.


Copyright © 2010 CA. All rights reserved. Email CA about this topic