DEV Community

Kaito Ii
Kaito Ii

Posted on

Notes on CRL

CRL: Certificate Revocation List

  • a list of revoked certificates published by a CA or a delegated CRL issuer
  • a mechanism for canceling client-side certificate
  • when issuing a certificate, the CA includes CRL infromation for the certificate in the certificate itself
  • may or may not CDP information within the certificate
  • the system compares the user's certificate against apporpriate CRL during authentication
    • It determined to be valid, the system caches certificate attributes and applies
    • if it determined that certificate is invalid, it cannot contact apporpriate CRL, or if CRL is expired, it denies the user access

CDP: CRL Distribution Point

  • location on an LDAP directory server or Web server where CA publishes CRLs
  • the system periodically contacts CDP to get an update of CRL
  • the system downloads cRL information from CDP at the interval specified in the CRL, at interval that you specify during CRL configuration, and when manually download the CRL
  • Use any of the following methods to notify the system of a certificate's CDO location
    • Specify the CDP in CA certificate
      • location of CDP may be included within the certificaate
    • Specify the CDP in client certificate
      • location of CDP may be included within the certificaate
    • Require administrator to mannually enter the CDP location
      • if neither CA or client certificate include the CDP llocation, you must manually specify how to download the CRL objecy

Discussion (0)