5.1.4 Verifying the validity of certificates

When the Web server authenticates the SSL client, the Web server can use the Certificate Revocation List (CRL) to verify the client certificate and also to verify the validity of the client certificate at that time. Acquire the CRL from the CA that issues the client certificate to be verified.

Organization of this subsection

(1) CRL file format
(2) CRL application method of HTTP Server
(3) Verifying the client certificate that uses the CRL

(1) CRL file format

The CRL uses the PEM formatted file.

Example: CRL in the PEM format

Application Server-installation-directory\httpsd\conf\ssl\crl>type crl.pem
-----BEGIN X509 CRL-----
MIIBGDCBwwIBATANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJKUDERMA8GA1UECBMIS2FuYWdhd2ExFTATBgNVBAcTDFlva29oYW1hLXNoaTERMA8GA1UEChMITE9D
QUwtQ0ExDDAKBgNVBAsTA2NhMTEaMBgGA1UEAxMRY2ExLmhpdGFjaGkuY28uanAX
DTAxMDgyOTA0NDIzMFoXDTAxMDgzMDA1NTIzMFowGzAZAghx2Sa8AAAAARcNMDEw
ODI4MDQ1MTI5WjANBgkqhkiG9w0BAQQFAANBAJorY7DUJ91uthNlAA+PT6zw6rVo
uZLFeYZPNVXgF217YOCtJtKDT+16bR5kgk0p/1xIbgReshjMNTmXPqARNjE=
-----END X509 CRL-----

Note: If the CRL in the DER format was used in an old version of HTTP Server, convert the CRT to the PEM format.

To Page Top

(2) CRL application method of HTTP Server

When you use the CRL to verify the validity of the client certificate, execute the following steps in addition to steps mentioned in 5.1.3 Preparing for SSL client authentication, and restart the Web server:

Acquiring CRL

Acquire the CRL file from the CRL distribution points of each CA and store in the appropriate directory.
Editing httpsd.conf (directive definition)

To enable the CRL, specify leaf in the SSLCARevocationCheck directive and specify the CRL file in the SSLCARevocationFile directive.
Start or restart the Web server.
When updating the existing CRL, overwrite the old CRL by the new CRL, and then restart the Web server.

To Page Top

(3) Verifying the client certificate that uses the CRL

Confirm the following items to verify the client certificate that uses the CRL:

Whether CRL is valid.
Whether date is before the next issue date.
Whether the serial number of the client certificate is mentioned.

(a) Verifying the CRL client certificate and determining the client certificate as valid

The following are the conditions when the client certificate is determined as valid by verifying the CRL client certificate:

When the CA that issues the certificate does not read the issued CRL.
When the current date is before the next issue date, and the serial number of the corresponding connected client is not mentioned in the CRL.
When the current date is after the CRL issue date, the next issue date is not specified, and the serial number of the connected client certificate corresponding to the CRL is not mentioned.

(b) Verifying the CRL client certificate and determining the client certificate as invalid

The following are the conditions when the client certificate is determined as invalid during the CRL client certificate verification:

When the CRL is invalid.
When the serial number of the client certificate of corresponding connection is mentioned in the CRL.

To Page Top