Federation Security Services Guide › Signing and Encrypting Messages to Secure Federated Transactions › SmKeyDatabase Overview › Certificate Revocation Lists in the smkeydatabase

Certificate Revocation Lists in the smkeydatabase

A Certificate Revocation Lists (CRL) is issued by a Certificate Authority to its subscribers. The list contains serial numbers of subscribers whose digital certificates have been revoked. When a user attempts to access a server, the server allows or denies access based on the CRL entry.

If Federation Security Services tries using a revoked partner certificate, you see a message in the SAML assertion that SAML authentication has failed.

If you are using CRLs, the smkeydatabase must point to a current CRL for each root CA certificate to help the Policy Server enforce secure access. To add and maintain a CRL in the smkeydatabase, a series of command options are available with SiteMinder's smkeytool utility, which is used to modify the smkeydatabase.

If you are using CRLs, you need to specify the location of a CRL for the smkeydatabase. Updating a CRL differs depending on the CRL type. To update a certificate file, you have to point the smkeydatabase to the most updated file. To update LDAP CRLs, the location of the list must be specified and then the server administrator can configure the list to be updated automatically.

Note: The CRL feature for the smkeydatabase has no relationship to the SiteMinder client certificate authentication scheme. Federation CRL features must be configured on their own.

The CRL feature for the smkeydatabase includes the following:

• Addition of certificate files or LDAP CRLs

  Note: The Policy Server explicitly requests LDAP CRLs in binary transfer encoding, using the certificateRevocationList;binary or authorityRevocationList;binary LDAP attributes. Therefore, when a Certificate Authority (CA) publishes a CRL using the LDAP protocol, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523.

• PEM and DER encodings for file CRLs
• Only DER encodings for LDAP CRLs
• SAML 1.x, SAML 2.0, and WS-Federation protocols

The CRL feature does not support the Online Certificate Status Protocol (OCSP).

You can add a CRL to the smkeydatabase using smkeytool.

To add a CRL to the smkeydatabase

1. Add the CRL file or LDAP CRL to smkeydatabase with the addRevocationList command option.

   Example:

   smkeytool -addRevocationInfo -issueralias verisignca -type filecrl
   -location c:\crls\verisign_root_ca.crl
   

2. Restart the Policy Server.