SSL certificate revocation list

+

Search Tips   |   Advanced Search

This section provides information on identifying directives for certificate revocation list (CRL) and those supported in global servers and virtual hosts.

Certificate revocation provides the ability to revoke a client certificate given to IBM HTTP Server by the browser when the key becomes compromised or when access permission to the key gets revoked. CRL represents a database which contains a list of certificates revoked before their scheduled expiration date.

If we want to enable certificate revocation in IBM HTTP Server, publish the CRL on an LDAP server. Once the CRL is published to an LDAP server, we can access the CRL using the IBM HTTP Server configuration file. The CRL determines the access permission status of the requested client certificate.

 

Identify directives needed to set up a certificate revocation list

The SSLClientAuth directive can include two options at once:

• SSLClientAuth 2 crl

• SSLClientAuth2 crl

The CRL option turns CRL on and off inside an SSL virtual host. If you specify CRL as an option, then we elect to turn CRL on. If we do not specify CRL as an option, then CRL remains off. If the first option for SSLClientAuth equals 0/none, then we cannot use the second option, CRL. If we do not have client authentication on, then CRL processing does not take place.

Identifying directives supported in global or server and virtual host. Global server and virtual host support the following directives:

• SSLCRLHostname

  The IP Address and host of the LDAP server, where the CRL database resides.

• SSLCRLPort

  The port of the LDAP server where the CRL database resides; the default equals 389.

• SSLCRLUserID

  The user ID to send to the LDAP server where the CRL database resides; defaults to anonymous if we do not specify the bind.

• SSLStashfile

  The fully qualified path to file where the password for the user name on the LDAP server resides. This directive is not required for an anonymous bind. Use when we specify a user ID. Use the sslstash command, located in the bin directory of IBM HTTP Server, to create our CRL password stash file. The password we specify using the sslstash command should equal the one we use to log in to our LDAP server.

  Usage:

  sslstash [-c] <path_to_password_file_and_file_name> <function_name> <password>

...where:

• -c: Creates a new stash file. If not specified, an existing file updates.

• File: Represents the fully qualified name of the file to create, or update.

• Function: Indicates the function for which to use the password. Valid values include crl, or crypto.

• Password: Represents the password to stash.

CRL checking follows the URIDistributionPoint X509 extension in the client certificate as well as trying the DN constructed from the issuer of the client certificate. If the certificate contains a CDP (CRL Distribution Point), that information is given precedence. The order in which the information is used is as follows:

1. CDP LDAP X.500 name

2. CDP LDAP URI

3. Issuer name combined with the value from the SSLCRLHostname directive