Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool
Previous Next Contents Index Bookshelf


Chapter 19 Publishing CRLs

Server and client applications that use public-key certificates as tokens of identification need access to information about the validity of a certificate; they need to know whether the certificate has been revoked. One of the standard, secure mechanisms for conveying this information is by publishing a list of revoked certificates. This list is known as the Certificate Revocation List (CRL).

The CRL is a publicly available list of certificates that have been revoked. This list ensures that revoked certificates are not misused.

 This chapter explains certificate revocation in general and explains how to configure Netscape Certificate Management System (CMS) to publish CRLs.

The chapter has the following sections:
CRL Authorities
CRLs are issued and digitally signed by the certificate authority (CA) that issued the certificates included in the revocation list. The CA's function includes creating the CRLs periodically and distributing them to other applications by appropriate means. For example, the CA may publish the CRL to a global directory which other applications may use for checking the revocation status of a certificate or from which other applications can retrieve the CRL.

 In Certificate Management System, the Certificate Manager creates the CRL and publishes it to an LDAP-compliant directory, if configured to do so. A Registration Manager cannot create or publish CRLs.

 CRLs can be made available to the PKI entities through a number of mechanisms. This document focuses on two of the most common mechanisms: publishing CRLs in the LDAP directory and retrieving CRLs over HTTP.
CRL Issuing Points
Because CRLs can grow very large, several mechanisms were developed to minimize overhead of retrieving and delivering large CRLs. One of these mechanism is based on partitioning the entire certificate space and associating a separate CRL with every partition. This partition is called a CRL issuing or distribution point--it is the location where a subset of all the revoked certificates are maintained. Partitioning can be based on revocation reason, on whether the revoked certificate is a CA certificate or end-entity certificate, on end users' names, and so on. Each issuing point is identified by a set of names, which can be in various forms.

 Once the issuing points have been defined, they can be included in certificates so that an application that needs to check the revocation status of a certificate can access the CRL issuing points specified in the certificate instead of the master or main CRL--the application would check the CRL maintained at the issuing point, which would be smaller in size compared to the master CRL, and thus speed up the revocation-status-checking process.

 CRL distribution points can be associated with certificates using the CRLDistributionPoint extension in the certificates.

 By default, Certificate Management System generates and publishes a single CRL called the master CRL. This is explained in "Updating CRLs Automatically". However, you can define CRL issuing points that contain a subset of the revoked certificates included in the master CRL. For details on configuring Certificate Management System to publish CRLs to several issuing points, check this site:

http://home.netscape.com/eng/server/cms

 To enable you to add the CRL issuing points in certificates, Certificate Management System provides a policy plug-in module that is based on the CRLDistributionPoint extension. You can configure the policy module to add the required issuing points in the certificates the server issues. For details, see "CRL Distribution Point Extension Policy".


Reasons for Revoking a Certificate
A Certificate Manager (the CA) can revoke any certificate it has issued. A certificate needs to be revoked if one or more of the following situations occur:

 Whenever a certificate is revoked (by administrators, agents, or end entities), the CA keeps track of revoked certificates in a CRL. By revoking a certificate, you are notifying other users that the certificate is no longer valid. You make this notification by publishing a list of the revoked certificates. This list is called the CRL.

 At the time of this writing, the current versions of Netscape products other than Certificate Management System do not have the ability to automatically check to see whether a certificate has been revoked. However, Netscape clients do give the user the ability to check this if the certificate includes the NetscapeRevocationURL extension.

 In addition, from the end entity services interface, Netscape client users can manually check the revocation status of a particular certificate and automatically import the latest version of the CRL into their browsers. If your users are not using Netscape clients, they can download the latest CRL in binary form to a local file, and then import this file into their browsers by an appropriate method. Users can also view the CRL header information of the master or full CRL published by Certificate Management System, which contains the date and time of the latest update, and then compare this information to that in their browser's CRL to see if they have the latest version.

 Because Netscape servers currently cannot check the revocation status of a certificate, you should use other forms of access control. For example, you can remove individual users from access groups to prevent them from accessing the server.

 Because Certificate Management System can check the revocation status of the certificates that it issues, you do not need to rely on other forms of access control.
Updating CRLs Automatically
Normally, when you revoke a certificate, the Certificate Manager automatically updates the status of the certificate in its internal database. In addition, the Certificate Manager also maintains a CRL in its internal database. You can configure the server to generate the CRL either every time a certificate is revoked or at a periodic interval.

 You can also configure the Certificate Manager to publish the CRL it maintains to a publishing directory, for example, to the directory in which end-entity certificates are published. If you do so, the server attempts to publish to the directory whenever it generates a new CRL--which could be either every time a certificate is revoked or at a periodic interval.

 Here are a few things about the CRLs that a Certificate Manager can generate and publish:

Table 19.1 CRL extensions and CRL entry extensions supported by the Certificate Manager

Component
Supported
Not supported
CRL extensions


CRL Entry extensions

Configuring a Certificate Manager for Publishing CRLs

You can configure the Certificate Manager to publish CRLs to an LDAP-compliant directory currently configured for publishing end-entity certificates; see "Identifying a Certificate Manager's Publishing Directory"). The Certificate Manager publishes the CRL to the specified directory using the base DN and password you specified. To locate the CA's entry in the directory, the server uses the configuration specified for publishing the CA certificate; see "Configuring Mapper and Publisher Classes for the CA Certificate".

As a part of this configuration, you can specify information, such as the publishing interval, whether to include extensions, and the message digest algorithm the Certificate Manager should use for signing the CRL object.

 To configure a Certificate Manager to publish the CRL to the directory:
  1. Access the CMS window (see "Accessing the CMS Window").

  2. Click the Configuration tab.

  3. In the navigation tree, click Certificate Manager.

    4. The General Settings tab appears.

  4. Click the Revocation List tab.
    5.

  5. In the Update Frequency section, specify the interval for publishing the CRL to the directory:

    6. Every time a certificate is revoked. Select this option if you want the Certificate Manager to generate the CRL every time it revokes a certificate. Keep in mind that the server attempts to publish the CRL to the configured directory whenever it is generated, in this case, every time a certificate is revoked. Publishing a CRL can be time consuming if the CRL is large. Configuring the Certificate Manager to publish CRLs every time a certificate is revoked may engage the server for a considerable amount of time; during this time, the server will not be able to service any requests it receives or update the directory with any changes it receives.

    Update at this frequency. Select this option if you want the Certificate Manager to generate the CRL at regular intervals. In this case, the server publishes the CRL to the configured directory at configured intervals.

    In the adjoining text field, type the interval, in minutes, at which the Certificate Manager should publish CRLs. For example, if you want the server to publish CRLs every day, you should type 1440 (minutes) in this field.

  6. In the CRL Format section, specify the format for publishing the CRL:
    7.

    Include expired certificates. Check this box if you want the server to publish expired certificates to the publishing directory.

    Allow extensions. Check this box if you want to allow extensions in CRLs. If you enable this option, the server generates and publishes CRLs conforming to X.509 version 2 standard. If you disable this option, the server generates and publishes CRLs conforming to X.509 version 1 standard. By default, the server publishes version 1 CRLs.

    Revocation list digest algorithm. Select the algorithm the server should use to sign the CRL for publishing. Available choices are MD2 with RSA, MD5 with RSA, SHA1 with RSA, and SHA1 with DSA.

  7. To save your changes, click Save.

    8. The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.


Updating CRLs Manually
Normally you do not need to manually update the directory with CRL-related information. If configured properly, the Certificate Manager handles most of the updates automatically. However, a situation may arise in which you need to update the directory manually. For example, Directory Server may be down for a time and thus unable to receive changes from the Certificate Manager.

 In such a situation, you should use the Update Certificate Revocation List form in the Certificate Manager Agent Services interface to manually update the directory with CRL-related information.

 Keep in mind that a Certificate Manager's publishing directory can be updated by a Certificate Manager agent only. Agent operations are restricted to those with a proper agent certificate.

 To manually update the directory with changes:
  1. Go to the Certificate Manager Agent Services page. You must submit the proper client certificate to get access to this page.
    2.

  2. Click Update Revocation List.

    3. The Update Certificate Revocation List page appears.

  3. From the Signature algorithm drop-down list, select the appropriate signature algorithm. Choices available are: MD5 with RSA Encryption and SHA-1 with RSA Encryption.
    4.

  4. Click Update.

    5. The Certificate Manager starts updating the directory with the CRL in its internal database. In some circumstances, for example, if the CRL is large, updating the directory may take considerable time. During this period, any changes made through Certificate Management System (for example, any new certificates issued or any certificates revoked) may not be included in the update. If you have issued or revoked any certificates during that time, you need to update the directory with those changes.

    When the directory is updated, the Certificate Manager will display a status report. If the process gets interrupted for some reason, the subsystem logs an appropriate error message. Be sure to check logs if that happens; see "Monitoring Logs".

 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.