For
portability reasons, it is recommended that you use the WebSphere Application
Server variables to specify a relative path to the certificate revocation
lists. This recommendation is especially important when you are working in
a WebSphere Application Server Network Deployment environment.
For
example, you might use the
USER_INSTALL_ROOT variable to define a path
such as $
USER_INSTALL_ROOT/
mycertstore/
mycrl1 where
mycertstore represents
the name of your certificate store and
mycrl1 represents the certificate
revocation list. For a list of supported variables, click
Environment >
WebSphere variables in the administrative console. The following list
provides recommendations for using certificate revocation lists:
- If CRLs are added to the collection certificate store, add the CRLs for
the root certificate authority and each intermediate certificate, if applicable.
When the CRL is in the certificate collection store, the certificate revocation
status for every certificate in the chain is checked against the CRL of the
issuer.
- When the CRL file is updated, the new CRL does not take effect until you
restart the Web service application.
- Before a CRL expires, you must load a new CRL into the certificate collection
store to replace the old CRL. An expired CRL in the collection certificate
store results in a certificate path (CertPath) build failure.