Manage certificate revocation lists (CRLs)

You can configure Activator to compare certificates against lists of invalid certificates that are maintained by the issuing certificate authorities. This checking is done for outbound encrypted documents and inbound signed documents.

A certificate revocation list (CRL) is a list of third-party certificates that are no longer valid. Certificate authorities maintain such lists of certificates that they have issued and sequentially invalidated. CRLs are accessible on the Internet on from a CA or LDAP server site - you need an Internet connection to use them.

Related topics

How CRL checking works

CRL checking potentially is performed for every non-root certificate encountered during certificate path validation. The following steps are taken for each such certificate.

  1. The system retrieves the CRL distribution point, if any, from the current certificate. The CRL distribution point is the first URL found in a CRL distribution points extension in the certificate. Not all certificates have a CRL distribution point extension and not all such extensions have a URL.
  2. The system looks in its cache of CRLs for an effective CRL with the same issuer and CRL distribution point (if any) as the current certificate. A CRL is considered to be effective if the current time is between the CRL's thisUpdate and nextUpdate times. If such a CRL is found, it is used: Go to step 9.
  3. If the option for Automatically retrieve CRLs is selected on the CRL usage and retrieval configuration page and the certificate contains a CRL distribution point, the system attempts to retrieve a CRL from that distribution point. If a CRL is successfully retrieved, it is added to the CRL cache. The system again looks in its cache of CRLs for an effective CRL with the same issuer and CRL distribution point as the current certificate. If such a CRL is found, it is used. Go to step 9.
  4. If the option for Use expired CRLs is selected on the CRL usage and retrieval configuration page, the system looks in its cache of CRLs for the most recently expired CRL with the same issuer and CRL distribution point (if any) as the current certificate. A CRL is considered to be expired if its nextUpdate time is in the past. If such a CRL is found, it is used. Go to step 9.
  5. If the current certificate does not contain a CRL distribution point, there is no CRL to check. Go to step 8.
  6. The system looks in its cache of CRLs for an effective CRL with the same issuer as the current certificate. If such a CRL is found, it is used. Go to step 9.
  7. If the option for Use expired CRLs is selected on the CRL usage and retrieval configuration page, the system looks in its cache of CRLs for the most recently expired CRL with the same issuer as the current certificate. If such a CRL is found, it is used. Go to step 9. Note that this step is similar to step 4, with the exception that here the CRL distribution point is not checked.
  8. No CRL could be found for checking the current certificate. If the option for Require CRLs is selected on the CRL usage and retrieval configuration page, the certificate path validation fails. Otherwise, the CRL check for the current certificate succeeds.
  9. The signature of the found CRL is verified using the CRL's issuing certificate. If the verification fails, the certificate path validation fails.
  10. The list of certificates in the CRL is checked for whether it contains the current certificate. If the certificate is listed in the CRL, the certificate path validation fails. Otherwise, the CRL check for the current certificate succeeds.

Related topics

Obtain CRL access information

Before you can download a CRL to Activator, you must obtain the information required to access the CA’s CRL.

CRLs are usually made available via one of three protocols: HTTP, HTTP/S, and Lightweight Directory Access Protocol (LDAP). For example, VeriSign CRLs are accessed via HTTP and Entrust CRLs are accessed via LDAP.

You can obtain the CRL information by viewing the details of a CA-issued certificate. See Details tab. The information, if present, is labeled as a CRL distribution point.

The following URL is an example of the CRL distribution point specified in a VeriSign certificate:

http://crl.verisign.com/class1.crl

For this example, you would enter this URL to add a VeriSign CRL to Activator.

Related topics

Add a CRL

Use this procedure to download a CRL.

  1. On the system management page, click Manage CRLs to display the CRLs page. The page lists imported CRLs, if any.
  2. Click Add a CRL to launch the CRL wizard.
  3. Type the URL to download the CRL. See Obtain CRL access information.
  4. If you must connect through a proxy server to retrieve a CRL, see the proxy server fields described in Advanced CRL settings.
  5. Click Next to display the Get CRL updates page.
  6. Select the interval for downloading an updated CRL.
  7. Click Next to display the Download the CRL page.
  8. Select whether you want to download the CRL now or later.
  9. Click Finish. If you elected to download the CRL now, the CRL is listed on the CRLs page with a status of Success.
  10. CRL files are stored in subdirectories of common\conf\crls. Once a subdirectory reaches the maximum CRL file limit, the server creates another subdirectory and begins storing additional CRLs in the new folder. This is intended as an aide to users who may have thousands of CRL files. By default, the maximum limit for each subdirectory is 500 files.

Related topics

Manage CRL lists

Once one or more CRLs have been downloaded, you can use the CRLs page to manage them. To open this page:

  1. Click System management on the menu bar to open the System management page.
  2. From the list of tasks at the bottom of the page, click Manage CRLs to open the CRLs page.

The CRLs page shows the name of each CRL, the date and time the CRL was last updated, the update schedule status, and the download status.

On this page you can click the URL of a CRL and open another page that lets you change the URL for downloading the CRL or the updating interval. You also can view details of the CRL.

To delete a CRL, click Delete to the right of a CRL on the CRLs page or click Delete this CRL on the manage CRL page. Deleted CRLs no longer appear on the CRL list page and are deleted from <Activator_shared_directory>\common\conf\crls.

Related topics

Advanced CRL settings

Use the CRL usage and retrieval configuration page to control how CRLs are used and updated in Activator.

In most cases the default settings on this page are adequate. You may want to change settings for special requirements. When the default values are used and no current CRLs are in <Activator_common_directory>\common\conf\crls, CRL checking does not occur.

To open the CRL usage and retrieval configuration page:

  1. Select System management on the toolbar to open the System management page.
  2. From the list of tasks at the bottom of the page, click Manage CRLs to open the CRLs page.
  3. Click Configure CRL usage and retrieval to open the CRL usage and retrieval configuration page.
  4. The fields on the CRL usage and retrieval configuration page are described in the following section. These values are stored in the database.
  5. Click Save changes to save your changes to this page.

CRL usage and retrieval tab

CRL usage section

Require CRLs

Select this option to require CRL checking for all non-root (not self-signed) certificates and to fail certificate path validation when Activator cannot find a certificate's CRL. In most cases, "Require CRLs" is turned off by default.

When "Require CRLs" is turned off and a CRL cannot be found for a certificate, the certificate is presumed valid and certificate path validation continues.

When "Require CRLs" is turned on, Activator must find a CRL for each non-root certificate. If a CRL is not found, the certificate is considered revoked and the certificate path validation fails.

When selected, make sure update schedules are set on the Manage CRL page for all CRLs needed to check non-root and intermediary certificates in the certificate path.

  • Except when certificate does not contain CRL distribution point – If you select this option, CRL checking does not result in an error when a CRL for a certificate cannot be found and the certificate does not contain a CRL distribution point.

Use expired CRLs

Select this option to enable the use of an expired CRL when Activator cannot find a current CRL in <Activator_commoninstall_directory>\Activator\conf\\crls. Activator looks for a current CRL with the same issuer name as the certificate being checked. In a current CRL, the current time stamp is between the CRL's thisUpdate and nextUpdate time stamps. If Activator cannot find such a CRL, it looks for a CRL with the same issuer name as the certificate and with a nextUpdate time stamp that is before the current time stamp. If more than one such expired CRL is found, the most recently expired CRL is used to check whether the certificate has been revoked. Clear the option to use only CRLs that have not expired. The Use expired CRLs option is turned off by default.

Automatically retrieve CRLs

Select this option to automatically retrieve CRLs using the information in the certificates' CRL distribution points extension. When this option is selected and Activator does not already have an effective CRL for a certificate, it attempts to use the certificate's CRL distribution point extension to retrieve the CRL for that certificate.

If Activator fails to retrieve a CRL and the Require CRLs option is selected, Activator will fail to validate the certificate. In most cases, Automatically retrieve CRLs is turned off by default.

Proxy mode for CRL retrieval section

HTTP/HTTPS

  • None – Retrieval through a proxy is turned off.
  • Local – Retrieval is through the proxy configured on this page.
    • Host – The name or IP address of the proxy server to use when retrieving CRLs via HTTP or HTTPS.
    • Port – The port number of the proxy server to use when retrieving CRLs via HTTP or HTTPS.
    • This proxy requires a user name and password – Select this option if a user name and password are required to connect to the proxy server. Type the authentication information in the user name and password fields.

LDAP

  • None – Retrieval through a proxy is turned off.

Trusted root certificates tab

The Trusted roots certificates tab displays the roots of the partner certificates that a community trusts. In the case of a self-signed certificate, the trust is for the certificate itself (a self-signed certificate is a root certificate). In the case of a certificate authority certificate, the trust is for the root certificate in the chain of trust of a partner’s certificate. By default, the system trusts root certificates when end-entity partner certificates are imported.

You can elect not to trust a root certificate by clicking Untrust to the right of the root certificate name. If you untrust, the system no longer recognizes the end-entity partner certificate as valid. This could affect many end-entity partner certificates. You cannot restore trust on this tab. To trust the roots again, you must import the partner end-entity certificate or the root certificate. The easier method is importing the end-entity certificate, as the system trusts the root by default.

A single CA might be listed multiple times on the tab, because each has multiple roots, each with unique fingerprints under which it issues certificates. To view the fingerprints, select a root and review the MD5 and SHA1 fingerprints on the Details tab. By comparing fingerprints you can choose to trust some but not all of a CA’s certificates.

To import a trusted root, click Add a trusted root certificate for SSL servers on the certificates page. For additional information, see Import certificates for partners.

CRL caching

As CRLs are used, they are cached in memory. The CRL cache is implemented as a bounded most-recently-used (MRU) cache. The cache grows to a maximum number of entries, after which the least recently used entry is removed to make room for the addition of a new entry. Every time an entry is added or used, it is moved to the top of the list of most recently used entries.

The default maximum size for the CRL cache is 150 entries.

Every node in Activator maintains its own CRL cache according to what CRLs are used by that node.

Related Links