4.5. Managing the Certificate Revocation List

4.5. Managing the Certificate Revocation List

Revoking a certificate notifies other users that the certificate is no longer valid. This notification is done by publishing a list of the revoked certificates, called the certificate revocation list (CRL), to an LDAP directory or to a flat file. This list is publicly available and ensures that revoked certificates are not misused.

4.5.1. Viewing or Examining CRLs

It may be necessary to view or examine a CRL, such as before manually updating a directory with the latest CRL. To view or display the CRL, do the following:

  1. Go to the Certificate Manager agent services page.

  2. Click Display Certificate Revocation List to display the form for viewing the CRL.

  3. Select the CRL to view. If the administrator has created multiple issuing points, these are listed in the Issuing point drop-down list. Otherwise, only the master CRL is shown.

  4. Choose how to display the CRL by selecting one of the options from the Display Type menu. The choices on this menu are as follows:

    • Cached CRL. Views the CRL from the cache rather than from the CRL itself. This option displays results faster than viewing the entire CRL.

    • Entire CRL. Retrieves and views the entire CRL.

    • CRL header. Retrieves and views the CRL header only.

    • Base 64 Encoded. Retrieves and views the CRL in base-64 encoded format.

  5. To examine the selected CRL, click Display.

    The CRL appears in the browser window. This allows the agent to check whether a particular certificate (by its serial number) appears in the list and to note recent changes such as the total number of certificates revoked since the last update, the total number of certificates taken off hold since the last update, and the total number of certificates that expired since the last update.

4.5.2. Updating the CRL

When a certificate is revoked, the CRL is automatically updated. If the Certificate System is used with an LDAP directory server, the CRL in the directory is also updated automatically.

In some cases, the CRL may need updated manually, such as updating the list after the system has been down or removing expired certificates to reduce the file size. (Expired certificates do not need to be included in the CRL because they are already invalid because of the expiration date.) Only a Certificate Manager agent can manually update the CRL.

To update the CRL manually, do the following:

  1. Open the Certificate Manager agent services page.

  2. Click Update Revocation List to display the form for updating the CRL.

    Update Certificate Revocation List

    Figure 4.7. Update Certificate Revocation List

  3. Select the algorithm to use to sign the new CRL. Before choosing an algorithm, make sure that any system or network applications that need to read or view this CRL support the algorithm.

    • SHA-1 with RSA generates a 160-bit message digest.

    • SHA-256 with RSA.

    • SHA-512 with RSA.

    • MD5 with RSA generates a 128-bit message digest. Most existing software applications that handle certificates support only MD5. This is the default algorithm.

    • MD2 with RSA generates a 128-bit message digest.

    Before selecting an algorithm, make sure that the Certificate System has that algorithm enabled. The Certificate System administrator will have that information.

  4. To examine the CRL before updating it, click Display.

    The CRL appears in the browser window, allowing the agent to check whether a particular certificate appears in the list. Use the browser's Back button to return to the Update page.

  5. To update the CRL with the latest certificate revocation information, click Update.