Certificate revocation list (CRL)
The certificate revocation list (CRL) is a method of preventing the validation of unwanted certificates. The CRL contains the identities of certificates that are deemed untrustworthy. WebSEAL uses a GSKit implementation of SSL that supports CRL checking. WebSEAL can use GSKit to perform CRL checking on client-side certificates and certificates from SSL junctions.
A certificate authority (CA) provides a CRL that is valid for a limited amount of time. The CA specifies the lifetime validity of the CRL. The CA is responsible for maintaining this information. Contact the CA to find out their policies for updating the CRL.
We can configure WebSEAL to use OCSP, CRL, or both for managing certificates. By default, WebSEAL (using GSKit) tries OCSP first, followed by CRL. If these first two methods fail, WebSEAL can then try LDAP (if configured). This search order is defined by an RFC and cannot be changed.
WebSEAL must be able to connect to the CRL Distribution Point (CDP) as specified by the CA in the certificate. If WebSEAL is installed on a server behind a firewall, we must allow communication through to the CDP. Otherwise, performance could be affected and you risk certificates being validated against an out of date CRL.
There is no time limitation for using an outdated CRL. However, allowing the use of an outdated CRL creates security exposures. If GSKit determines the CRL is out of date, it returns an UNDETERMINED status message. The application can then decide the best course of action. We can configure the course of action in WebSEAL by setting the configuration option undetermined-revocation-cert-action in the [ssl] stanza to one of: ignore, log, or reject.
Parent topic: Certificate revocation in WebSEAL