[AIX Solaris HP-UX Linux Windows][z/OS]

SSL Certificate revocation list and Online Certificate Status Protocol

Learn about configuring certificate revocation checking for client certificates. Certificate revocation list (CRL) is a deprecated feature. You can use Online Certificate Status Protocol (OCSP) with TLS certificates.

Note: Certificate revocation list (CRL) is a deprecated feature. Use Online Certificate Status Protocol (OCSP) with TLS certificates.
Certificate revocation provides the ability to revoke a client certificate that is given to IBM® HTTP Server by the browser when the key becomes compromised, or when access permission to the key gets revoked. The two following protocols perform revocation checking.
Certificate Revocation List (CRL), (deprecated)
A database that contains a list of certificates that are revoked before their scheduled expiration date.
Online Certificate Status Protocol (OCSP)
An HTTP-based service that is used to check whether an individual certificate was revoked before the scheduled expiration date.

If you want to enable certificate revocation in IBM HTTP Server, publish the CRL on a Lightweight Directory Access Protocol (LDAP) server. Once the CRL is published to an LDAP server, you can access the CRL using the IBM HTTP Server configuration file. The CRL determines the access permission status of the requested client certificate. Be aware, however, that it's not always possible to determine the revocation status of a client certificate if the backend server, the source of revocation data, is not available or not communicating properly with IBM HTTP Server.

The CRL option turns CRL on and off inside an SSL virtual host. If you specify CRL as an option, then you elect to turn CRL on. If you do not specify CRL as an option, then CRL remains off. If the first option for SSLClientAuth equals 0/none, then you cannot use the second option, CRL. If you do not have client authentication on, then CRL processing does not take place.

Certification revocation information is supplied by the following different sources:

Identifying CRL-specific directives supported in global or server and virtual host.

See the SSL directives for more information about configuring OCSP. Global server and virtual host support the following directives:
CRL checking follows the URIDistributionPoint X509 extension in the client certificate as well as trying the DN constructed from the issuer of the client certificate. If the certificate contains a CRL Distribution Point (CDP), then that information is given precedence. The order in which the information is used is as follows:
  1. CDP LDAP X.500 name
  2. CDP LDAP URI
  3. Issuer name combined with the value from the SSLCRLHostname directive
Concept topic    

Terms and conditions for product documentation | Feedback

Last updated: January 28, 2018 08:56 PM GMT-06:00
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=ihs-dist&topic=cihs_crlinssl
File name: cihs_crlinssl.html