5.1.5 Verifying the validity of certificates
(1) CRL file format
The CRL uses the DER formatted file or the PEM formatted file. The CRL in the DER format is a file in the binary format and the CRL in the PEM format is a file in the Base64 encoded format with"-----BEGIN X509 CRL-----", "-----END X509 CRL-----" tags attached before and after the data.
- Example: CRL in the PEM format
<Cosminexus-installation-directory>\httpsd\conf\ssl\crl\PEM>type crl.pem -----BEGIN X509 CRL----- MIIBGDCBwwIBATANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJKUDERMA8GA1UECBMIS2FuYWdhd2ExFTATBgNVBAcTDFlva29oYW1hLXNoaTERMA8GA1UEChMITE9D QUwtQ0ExDDAKBgNVBAsTA2NhMTEaMBgGA1UEAxMRY2ExLmhpdGFjaGkuY28uanAX DTAxMDgyOTA0NDIzMFoXDTAxMDgzMDA1NTIzMFowGzAZAghx2Sa8AAAAARcNMDEw ODI4MDQ1MTI5WjANBgkqhkiG9w0BAQQFAANBAJorY7DUJ91uthNlAA+PT6zw6rVo uZLFeYZPNVXgF217YOCtJtKDT+16bR5kgk0p/1xIbgReshjMNTmXPqARNjE= -----END X509 CRL----- |
(2) CRL application method of Cosminexus HTTP Server
When you use the CRL to verify the validity of the client certificate, execute the following steps in addition to steps mentioned in 5.1.4 Preparing for SSL client authentication, and restart the Web server:
- Acquiring CRL
Acquire the CRL file from the CRL distribution points of each CA and store in the appropriate directory. For managing the CRL in the LDAP server, you can use the crldownload command.
- Editing httpsd.conf (directive definition)
To enable the CRL, specify the directory where CRL file is stored in the SSLCRLDERPath or SSLCRLPEMPath directive.
- Start or restart the Web server.
- When updating the existing CRL, delete the old CRL that is stored in the directory and add a new CRL, or overwrite the old CRL by the new one, and then restart the Web server.
- When adding a new CRL and also when deleting a CRL, restart the Web server.
(3) Verifying the client certificate that uses the CRL
Confirm the following items to verify the client certificate that uses the CRL:
- Whether CRL is valid.
- Whether date is before the next issue date.
- Whether the serial number of the client certificate is mentioned.
(a) Verifying the CRL client certificate and determining the client certificate as valid
The following are the conditions when the client certificate is determined as valid by verifying the CRL client certificate:
- When the CA that issues the certificate does not read the issued CRL.
- When the current date is before the next issue date, and the serial number of the corresponding connected client is not mentioned in the CRL.
- When the current date is after the CRL issue date, the next issue date is not specified, and the serial number of the connected client certificate corresponding to the CRL is not mentioned.
- When the current date is after the next issue date of the CRL, the serial number of the connected client certificate corresponding to the CRL is not mentioned, and when the SSLCRLAuthoritative directive is set to off.
(b) Verifying the CRL client certificate and determining the client certificate as invalid
The following are the conditions when the client certificate is determined as invalid during the CRL client certificate verification:
- When the CRL is invalid.
- When the serial number of the client certificate of corresponding connection is mentioned in the CRL.
- When the current date is after the CRL next issue date, the serial number of the client certificate of corresponding connection is not mentioned in the CRL, and when the SSLCRLAuthoritative directive is set to On.