+

Search Tips   |   Advanced Search

Certificate revocation list settings


To specify a list of certificate revocations that check the validity of a certificate. The appserver checks the certificate revocation lists (CRL) to determine the validity of the client certificate. A certificate that is found in a certificate revocation list might not be expired, but is no longer trusted by the certificate authority (CA) that issued the certificate. The CA might add the certificate to the certificate revocation list if it believes that the client authority is compromised.

To view the admin console panel for the collection certificate store on the cell level...

  1. Click Security > JAX-WS and JAX-RPC security runtime.

  2. Under additional properties, click Collection certificate store.

  3. Click the name of a configured collection certificate store or create a new collection certificate store first.

  4. Under Additional properties, click Certificate revocation lists > New to specify the path to a new list or click the name of a certificate revocation list to modify its path.

To view the admin console panel for the collection certificate store on the server level...

  1. Click Servers > Server Types > WebSphere application servers > server_name.

  2. Under Security, click JAX-WS and JAX-RPC security runtime.

    In a mixed node cell with a server using Websphere Application Server version 6.1 or earlier, click Web services: Default bindings for WS-Security

  3. Under Additional properties, click Collection certificate store.

  4. Click the name of a configured collection certificate store or create a new collection certificate store first.

  5. Under Additional properties, click Certificate revocation lists > New to specify the path to a new list or click the name of a certificate revocation list to modify its path.

To view this admin console page for the collection certificate store on the application level...

  1. Click Applications > Application Types > WebSphere enterprise appsapplication_name.

  2. Under Modules, click Manage modules > URI_name.

  3. Under WS-Security Properties, we can access collection certificate stores for the following bindings:

  4. Click the name of a configured collection certificate store or create a new collection certificate store first.

  5. Under Additional properties, click Certificate revocation lists > New to specify the path to a new list or click the name of a certificate revocation list to modify its path.

Certificate revocation list path

Specifies a fully qualified path to the location where we can find the list of certificates that are not valid.

For portability reasons, IBM recommends that you use appserver variables to specify a relative path to the certificate revocation list. This recommendation is especially important when we are working in a WAS ND environment. For example, we might use the USER_INSTALL_ROOT variable to define a path such as $USER_INSTALL_ROOT/mycertstore/mycrl where mycertstore represents the name of the certificate store and mycrl represents the certificate revocation list. For a list of the supported variables, click Environment > WebSphere variables in the admin console.

The following list provides recommendations for using CRLs:

  • If CRLs are added to the collection certificate store collection, add the CRLs for the root certificate authority and each intermediate certificate, if applicable. When the CRL is in the certificate collection store, the certificate revocation status for every certificate in the chain is checked against the CRL of the issuer.

  • When the CRL file is updated, the new CRL does not take effect until you restart the Web service application.

  • Before a CRL expires, load a new CRL into the certificate collection store to replace the old CRL. An expired CRL in the collection certificate store results in a certificate path (CertPath) build failure.





 

Related tasks


Set the collection certificate store for the generator binding on the application level

 

Related


Certificate revocation list collection
Collection certificate store collection
Collection certificate store settings