Managing CRL locations

 

Digital Certificate Manager (DCM) allows you to define and manage Certificate Revocation List (CRL) location information for a specific Certificate Authority (CA) to use as part of the certificate validation process.

DCM, or an application that requires CRL processing, can use the CRL to determine that the CA that issued a specific certificate has not revoked the certificate. When you define a CRL location for a specific CA, applications that support the use of certificates for client authentication can access the CRL.

Applications that support the use of certificates for client authentication can perform CRL processing to ensure more stringent authentication for certificates that they accept as valid proof of identity. Before an application can use a defined CRL as part of the certificate validation process, the DCM application definition must require that the application perform CRL processing.

How CRL processing works

When you use DCM to validate a certificate or application, DCM performs CRL processing by default as part of the validation process. If there is no CRL location defined for the CA that issued the certificate that you are validating, DCM cannot perform CRL checking. However, DCM can attempt to validate other important information about the certificate, such as that the CA signature on the specific certificate is valid and that the CA that issued it is trusted.

Define a CRL location

To define a CRL location for a specific CA, follow these steps:

  1. Start DCM. Refer to Starting DCM.

  2. In the navigation frame, select Manage CRL Locations to display a list of tasks.

    If you have questions about how to complete a specific form in this guided task, select the question mark (?) at the top of the page to access the online help.

  3. Select Add CRL location from the task list to display a form that you can use to describe the CRL location and how DCM or the application will access the location.

  4. Complete the form and click OK. You must give the CRL location a unique name, identify the LDAP server that hosts the CRL, and provide connection information that describes how to access the LDAP server. Now you need to associate the CRL location definition with a specific CA

  5. In the navigation frame, select Manage Certificates to display a list of tasks.

  6. Select Update CRL location assignment from the task list to display a list of CA certificates.

  7. Select the CA certificate from the list to which you want to assign the CRL location definition that you created and click Update CRL Location Assignment. A list of CRL locations displays.

  8. Select the CRL location from the list that you want to associate with the CA and click Update Assignment. A message displays at the top of the page to indicate that the CRL location has been assigned to the Certificate Authority (CA) certificate.

To anonymously bind to an LDAP server for CRL processing, use the Directory Server Web Administration Tool and select the "Manage schema" task to change the security class (also referred to as "access class") of the certificateRevocationList and authorityRevocationList attributes from "critical" to "normal", and leave both the Login distinguished name field and the Password field blank.

Having defined a location for a CRL for a specific CA, DCM or other applications can use it when performing CRL processing. However, before CRL processing can work, the Directory Services server must contain the appropriate CRL. Also, configure both the Directory Server (LDAP) and client applications to use SSL, and assign a certificate to the applications in DCM.

 

Parent topic:

Managing DCM

Related concepts
Certificate Revocation List (CRL) Locations

Related information
IBM Directory Server for iSeries (LDAP) Enable SSL on the Directory Server