Work with revoked certificates

Digital certificates can be revoked by Certificate Authorities. We can check the revocation status of certificates using OCSP, or CRLs on LDAP servers, depending on platform.

During the TLS handshake, the communicating partners authenticate each other with digital certificates. Authentication can include a check that the certificate received can still be trusted. Certificate Authorities (CAs) revoke certificates for various reasons, including:

• The owner has moved to a different organization
• The private key is no longer secret

CAs publish revoked personal certificates in a Certificate Revocation List (CRL). CA certificates that have been revoked are published in an Authority Revocation List (ARL).

On the following platforms, IBM MQ SSL support checks for revoked certificates using OCSP (Online Certificate Status Protocol) or using CRLs and ARLs on LDAP (Lightweight Directory Access Protocol) servers. OCSP is the preferred method.

• Linux
• UNIX
• Windows

IBM MQ classes for Java and IBM MQ classes for JMS cannot use the OCSP information in a client channel definition table file. However, we can configure OCSP as described in Use Online Certificate Protocol. On the following platforms, and IBM MQ SSL support checks for revoked certificates using CRLs and ARLs on LDAP servers only:

• IBM i
• z/OS

For more information about Certificate Authorities, see Digital certificates.

• Revoked certificates and OCSP
  IBM MQ determines which Online Certificate Status Protocol (OCSP) responder to use, and handles the response received. We might have to take steps to make the OCSP responder accessible.
• Work with Certificate Revocation Lists and Authority Revocation Lists
  IBM MQ support for CRLs and ARLs varies by platform.
• Manipulating authentication information objects
  We can manipulate authentication information objects using MQSC or PCF commands, or the IBM MQ Explorer.

Parent topic: Identifying and authenticating users