5.3.1 Downloading CRL

Access the LDAP server and download the invalid certificate list (CRL) from the specified attribute. Confirm in advance, the entry, attribute, and the CRL format to acquire the CRL with the LDAP administrator.

The crldownload command that downloads the CRL is described below:

The crldownload command cannot be used in the HP-UX (IPF) version of the product.

Organization of this subsection
(1) Format
(2) Option
(3) How to use
(4) Usage example

(1) Format

crldownload -b search-base-DN -L LDAP-library-name -o file-name[-a attribute][-D bind-DN][-h host-name][-H][-p port-number][-w password]

(2) Option

(3) How to use

The following figure shows how to use the crldownload command.

Figure 5-3 Howto use the crldownload command

[Figure]

  1. Use the crldownload command to access the entry storing the CRL.
  2. Acquire the CRL from the entry attributes. When the stored CRL is in the DER format, download the CRL in the directory specified in the SSLCRLDERPath directive. When the CRL is in PEM format, download the CRL in the directory specified in the SSLCRLPEMPath directive.
  3. Restart the Web server.
  4. The client sends the certificate when accessing by the SSL.
  5. Apply the acquired CRL when authenticating the client certificate.
  6. If authentication succeeds, the client can access the contents.
#
If there are files in the inappropriate format in directories specified in the SSLCRLPEMPath and the SSLCRLDERPath directives, the Web server is not started. Therefore, when you use the crldownload tool, make sure that the CRL is in the correct format before you store the CRL in these directories.

(4) Usage example

(a) Downloading CRL in the DER format

Execute the following script to download the CRL. The script file name is /opt/hitachi/httpsd/sbin/hws_getCRL.sh in UNIX version, and <Cosminexus-installation-directory>\httpsd\sbin\hws_getCRL.bat in Windows version.

(b) Downloading CRL and restarting the Web server at regular intervals