Certificates and keys > Manage certificates > Manage certificate revocation lists (CRLs)

Manage certificate revocation lists (CRLs)

You can configure Activator to compare certificates against lists of invalid certificates that are maintained by the issuing certificate authorities. This checking is done for outbound encrypted documents and inbound signed documents.

A certificate revocation list (CRL) is a list of third-party certificates that are no longer valid. Certificate authorities maintain such lists of certificates they issued but later invalidated for one reason or another. CRLs are accessible on the Internet, and you need an Internet connection to use them.

The Activator always attempts to do CRL checking for each traded message. Whether it succeeds in the attempt, and whether it fails a message with a revoked certificate, depends on whether a CRL is available to check a certificate against. CRL checking is only attempted for CA-issued certificates, never for self-signed certificates.

A certificate is checked if a CRL can be obtained from a CA. If there is a CRL for a given certificate, that CRL is issued and signed by the same issuer as the certificate. The CRL may have been downloaded from a distribution point that matches one specified in a CRL distribution point extension in the certificate. Most CRLs have a thisUpdate time indicating when the CRL was last updated by its issuer. Most also have a nextUpdate time indicating when the issuer next updates the CRL. A CRL may be updated before its nextUpdate time.

As an example of CRL checking, when a partner sends you an encrypted document, Activator checks the certificate associated with the inbound document against the appropriate CRL. If the certificate is on the CRL, Activator fails the inbound document.

Activator checks a specific certificate only against the appropriate CRL. For example, Activator does not check a certificate issued by VeriSign against a CRL issued by GlobalSign.

Although using CRLs can enhance security, the checking process can result in longer processing times. Consequently, your decision whether to use CRLs should weigh the security advantage against the performance handicap.

Activator usually checks a certificate against a previously downloaded CRL. But this can be extended to on-the-fly CRL downloading and checking by selecting the check box for Automatically retrieve CRLs on the CRL usage and retrieval configuration page (see Advanced CRL settings). With this enabled, Activator looks for a CRL distribution point URL in the certificate being checked and downloads the updated CRL if available. It then checks the certificate against the newly downloaded CRL. If an updated CRL is not available, Activator checks the certificate against the previously downloaded CRL. Because of this on-the-fly downloading and checking capability, there can be multiple CRLs from the same issuer.

You are responsible for obtaining from the certificate authority the information required for accessing the CRL. Activator downloads the latest CRL before performing certificate checks. It also can download updates of the CRL, based on the update interval in the previously downloaded CRL.

Related topics

How CRL checking works
Obtain CRL access information
Add a CRL
Manage certificate revocation lists (CRLs)
Advanced CRL settings

How CRL checking works

CRL checking is potentially performed for every non-root certificate encountered during certificate path validation. The following steps are taken for each such certificate.

The system retrieves the CRL distribution point, if any, from the current certificate. The CRL distribution point is the first URL found in a CRL distribution points extension in the certificate. Not all certificates have a CRL distribution point extension and not all such extensions have a URL.
The system looks in its cache of CRLs for an effective CRL with the same issuer and CRL distribution point (if any) as the current certificate. A CRL is considered to be effective if the current time is between the CRL's thisUpdate and nextUpdate times. If such a CRL is found, it is used: Go to step 9.
If the option for Automatically retrieve CRLs is selected on the CRL usage and retrieval configuration page and the certificate contains a CRL distribution point, the system attempts to retrieve a CRL from that distribution point. If a CRL is successfully retrieved, it is added to the CRL cache. The system again looks in its cache of CRLs for an effective CRL with the same issuer and CRL distribution point as the current certificate. If such a CRL is found, it is used. Go to step 9.
If the option for Use expired CRLs is selected on the CRL usage and retrieval configuration page, the system looks in its cache of CRLs for the most recently expired CRL with the same issuer and CRL distribution point (if any) as the current certificate. A CRL is considered to be expired if its nextUpdate time is in the past. If such a CRL is found, it is used. Go to step 9.
If the current certificate does not contain a CRL distribution point, there is no CRL to check. Go to step 8.
The system looks in its cache of CRLs for an effective CRL with the same issuer as the current certificate. If such a CRL is found, it is used. Go to step 9.
If the option for Use expired CRLs is selected on the CRL usage and retrieval configuration page, the system looks in its cache of CRLs for the most recently expired CRL with the same issuer as the current certificate. If such a CRL is found, it is used. Go to step 9. Note that this step is similar to step 4, with the exception that here the CRL distribution point is not checked.
No CRL could be found for checking the current certificate. If the option for Require CRLs is selected on the CRL usage and retrieval configuration page, the certificate path validation fails. Otherwise, the CRL check for the current certificate succeeds.
The signature of the found CRL is verified using the CRL's issuing certificate. If the verification fails, the certificate path validation fails.
The list of certificates in the CRL is checked whether it contains the current certificate. If the certificate is listed in the CRL, the certificate path validation fails. Otherwise, the CRL check for the current certificate succeeds.

Related topics

Obtain CRL access information
Add a CRL
Manage certificate revocation lists (CRLs)
Advanced CRL settings

Obtain CRL access information

Before you can download a CRL to Activator, you must obtain the information required to access the CA’s CRL.

CRLs are usually made available via one of three protocols: HTTP, HTTP/S, and Lightweight Directory Access Protocol (LDAP). For example, VeriSign CRLs are accessed via HTTP and Entrust CRLs are accessed via LDAP.

You can obtain the CRL information by viewing the details of a CA-issued certificate. See Details tab. The information, if present, is labeled as a CRL distribution point.

The following URL is an example of the CRL distribution point specified in a VeriSign certificate:

http://crl.verisign.com/class1.crl

You would enter this URL to add a VeriSign CRL to Activator.

Related topics

Add a CRL
Manage certificate revocation lists (CRLs)
Advanced CRL settings

Add a CRL

Use this procedure to download a CRL.

On the system management page, click Manage CRLs to display the CRL list page. The page lists imported CRLs, if any.
Click Add a CRL to launch the CRL wizard.
Type the URL to download the CRL. See Obtain CRL access information.
If you must connect through a proxy server to retrieve a CRL, see the proxy server fields described in Advanced CRL settings.
Click Next to display the get CRL updates page.
Select the interval for downloading an updated CRL.
Click Next to display the download the CRL page.
Select whether you want to download the CRL now or later.
Click Finish. If you elected to download the CRL now, the CRL is listed on the CRL list page with a status of Success.
CRL files are stored in subdirectories of common\conf\crls. Once a subdirectory reaches the maximum CRL file limit, the server creates another subdirectory and begins storing additional CRLs in the new folder. This is intended as an aide to users who may have thousands of CRL files. By default, the maximum limit for each subdirectory is 500 files.

Related topics

Obtain CRL access information
Manage certificate revocation lists (CRLs)
Advanced CRL settings

Manage CRL lists

Once one or more CRLs have been downloaded, you can use the CRL list page to manage them. To open this page:

Click System management on the menu bar to open the System management page.
From the list of tasks at the bottom of the page, click Manage CRLs to open the CRLs page.

The CRLs page shows the name of each CRL, the date and time the CRL was last updated, the update schedule status, and the download status.

On this page you can click the URL of a CRL and open another page that lets you change the URL for downloading the CRL or the updating interval. You also can view details of the CRL.

To delete a CRL, click Delete to the right of a CRL on the CRL list page or click Delete this CRL on the manage CRL page. Deleted CRLs no longer appear on the CRL list page and are deleted from <install directory>\common\conf\crls.

Related topics

Obtain CRL access information
Add a CRL
Advanced CRL settings

Advanced CRL settings

Use the CRL usage and retrieval configuration page to control how CRLs are used and updated in Activator.

In most cases the default settings on this page are adequate. You may want to change settings for special requirements. When the default values are used and no current CRLs are in <install directory>\common\conf\crls, CRL checking does not occur.

To open the CRL usage and retrieval configuration page:

Select System management on the toolbar to open the System management page.
From the list of tasks at the bottom of the page, click Manage CRLs to open the CRLs page.
Click Configure CRL usage and retrieval to open the CRL usage and retrieval configuration page.
The fields on the CRL usage and retrieval configuration page are described in the following section. These values are stored in the database.
Click Save changes to save your changes to this page.

CRL usage and retrieval tab

Require CRLs

Select this to mandate CRL checking for all non-root (not self-signed) certificates and to fail certificate path validation when Activator cannot find a certificate's CRL. In most cases, Require CRLs is turned off by default. However, if you are licensed to perform CSOS processing, Require CRLs is on by default because CRL checking is presumed for CSOS.

When Require CRLs is turned off and a CRL cannot be found for a certificate, the certificate is presumed valid and certificate path validation continues.

When Require CRLs is turned on, Activator must find a CRL for each non-root certificate. If a CRL is not found, the certificate is considered revoked and the certificate path validation fails.

When selected, make sure update schedules are set on the manage CRL page for all CRLs needed to check non-root and intermediary certificates in the certificate path.

Except when certificate does not contain CRL distribution point – If you select this option, CRL checking does not result in an error when a CRL for a certificate cannot be found and the certificate does not contain a CRL distribution point.

Use expired CRLs

Select this option to enable the use of an expired CRL when Activator cannot find a current CRL in <install directory>\common\conf\crls. Activator looks for a current CRL with the same issuer name as the certificate being checked. In a current CRL, the current time stamp is between the CRL's thisUpdate and nextUpdate time stamps. If Activator cannot find such a CRL, it looks for a CRL with the same issuer name as the certificate and with a nextUpdate time stamp that is before the current time stamp. If more than one such expired CRL is found, the most recently expired CRL is used to check whether the certificate has been revoked. Clear the check box to use only CRLs that have not expired. Use expired CRLs s turned off by default.

Automatically retrieve CRLs

Select this option to automatically retrieve CRLs using the information in certificates' CRL distribution points extension. When this option is selected and Activator does not already have an effective CRL for a certificate, it attempts to use the certificate's CRL distribution point extension to retrieve the CRL for that certificate.

If Activator fails to retrieve a CRL and the Require CRLs option is selected, Activator will fail to validate the certificate. In most cases, Automatically retrieve CRLs is turned off by default. However, if you are licensed to perform CSOS processing, Automatically retrieve CRLs is on by default because CRL checking is presumed for CSOS.

Proxy mode for HTTP/HTTPS CRL retrieval

None – Retrieval through a proxy is turned off.
Local – Retrieval is through the proxy configured on this page.
- Host – The name or IP address of the proxy server to use when retrieving CRLs via HTTP or HTTPS.
- Port – The port number of the proxy server to use when retrieving CRLs via HTTP or HTTPS.
- This proxy requires a user name and password – Select this option if a user name and password are required to connect to the proxy server. Type the authentication information in the user name and password fields.

Trusted root certificates tab

The Trusted roots certificates tab displays the roots of partners certificates that a community trusts. In the case of a self-signed certificate, the trust is for the certificate itself, as a self-signed certificate is a root certificate. In the case of a certificate authority certificate, the trust is for the root certificate in the chain of trust of a partner’s certificate. By default, the system trusts root certificates when end-entity partner certificates are imported.

You can elect not to trust a root certificate by clicking Untrust to the right of the root certificate name. If you do untrust, the system no longer recognizes the end-entity partner certificate as valid. This could affect many end-entity partner certificates. You cannot restore trust on this tab. To trust the roots again, import the partner end-entity certificate or the root certificate. The easier method is importing the end-entity certificate, as the system trusts the root by default.
A single CA might be listed multiple times on the tab, because each has multiple roots, each with unique fingerprints under which it issues certificates. To view the fingerprints, select a root and review the MD5 and SHA1 fingerprints on the details tab. By comparing fingerprints you can choose to trust some but not all of a CA’s certificates.
To import a trusted root, click Add a trusted root certificate and see Import certificates for partners.
Trusted SSL root certificates tab – The trusted SSL root certificates tab displays the trusted roots of partners’ certificates that, when presented by partners, enable the partners to connect to the community’s SSL servers that require client authentication. For an explanation of trusted roots and the consequences of untrusting, see Trusted roots certificates tab. See SSL authentication.
To import a trusted root, click Add a trusted root certificate for SSL servers on the certificates page and see Import certificates for partners.

Related topics

Obtain CRL access information
Add a CRL
Manage certificate revocation lists (CRLs)
CRL caching

CRL caching

As CRLs are used, they are cached in memory. The CRL cache is implemented as a bounded most recently used (MRU) cache. The cache grows to a maximum number of entries, after which the least recently used entry is removed to make room for the addition of a new entry. Every time an entry is added or used, it is moved to the top of the list of most recently used entries.

The default maximum size for the CRL cache is 150 entries.

Every node in Activator maintains its own CRL cache according to what CRLs are used by that node.

..\tools>crlPurgeHttpsClient http 127.0.0.1 6080 api-user test
connecting to host: 127.0.0.1, using protocol: http port:6080, user: api-user and non-null password

response code:200
purge response code=204 and message: No Content

purge task successfully started, start time: Mon Jan 26 14:35:11 MST 2015
See event logs for purge complete event.