5.1.5 Verifying the validity of certificates

When the Web server authenticates the SSL client, the Web server can use the Certificate Revocation List (CRL) to verify the client certificate and also to verify the validity of the client certificate at that time. Acquire the CRL from the CA that issues the client certificate to be verified.

Organization of this subsection
(1) CRL file format
(2) CRL application method of Cosminexus HTTP Server
(3) Verifying the client certificate that uses the CRL

(1) CRL file format

The CRL uses the DER formatted file or the PEM formatted file. The CRL in the DER format is a file in the binary format and the CRL in the PEM format is a file in the Base64 encoded format with"-----BEGIN X509 CRL-----", "-----END X509 CRL-----" tags attached before and after the data.

Example: CRL in the PEM format
<Cosminexus-installation-directory>\httpsd\conf\ssl\crl\PEM>type crl.pem
-----BEGIN X509 CRL-----
MIIBGDCBwwIBATANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJKUDERMA8GA1UECBMIS2FuYWdhd2ExFTATBgNVBAcTDFlva29oYW1hLXNoaTERMA8GA1UEChMITE9D
QUwtQ0ExDDAKBgNVBAsTA2NhMTEaMBgGA1UEAxMRY2ExLmhpdGFjaGkuY28uanAX
DTAxMDgyOTA0NDIzMFoXDTAxMDgzMDA1NTIzMFowGzAZAghx2Sa8AAAAARcNMDEw
ODI4MDQ1MTI5WjANBgkqhkiG9w0BAQQFAANBAJorY7DUJ91uthNlAA+PT6zw6rVo
uZLFeYZPNVXgF217YOCtJtKDT+16bR5kgk0p/1xIbgReshjMNTmXPqARNjE=
-----END X509 CRL-----

(2) CRL application method of Cosminexus HTTP Server

When you use the CRL to verify the validity of the client certificate, execute the following steps in addition to steps mentioned in 5.1.4 Preparing for SSL client authentication, and restart the Web server:

  1. Acquiring CRL
    Acquire the CRL file from the CRL distribution points of each CA and store in the appropriate directory. For managing the CRL in the LDAP server, you can use the crldownload command.
  2. Editing httpsd.conf (directive definition)
    To enable the CRL, specify the directory where CRL file is stored in the SSLCRLDERPath or SSLCRLPEMPath directive.
  3. Start or restart the Web server.
  4. When updating the existing CRL, delete the old CRL that is stored in the directory and add a new CRL, or overwrite the old CRL by the new one, and then restart the Web server.
  5. When adding a new CRL and also when deleting a CRL, restart the Web server.

(3) Verifying the client certificate that uses the CRL

Confirm the following items to verify the client certificate that uses the CRL:

(a) Verifying the CRL client certificate and determining the client certificate as valid

The following are the conditions when the client certificate is determined as valid by verifying the CRL client certificate:

(b) Verifying the CRL client certificate and determining the client certificate as invalid

The following are the conditions when the client certificate is determined as invalid during the CRL client certificate verification: