x.509 certificate revocation

When x.509 certificates are issued, they are assigned a validity period that defines a start and end (expiration) date and time for the certificate. Certificates are considered valid if used during the validity period. If the certificate is deemed to be no longer trustable prior to its expiration date, it can be revoked by the issuing Certificate Authority (CA). The process of revoking the certificate is known as certificate revocation. There are a number of reasons why certificates are revoked. Some common reasons for revocation are:
  • Encryption keys of the certificate have been compromised.
  • Errors within an issued certificate.
  • Change in usage of the certificate.
  • Certificate owner is no longer deemed trusted.
Two methods of revocation are supported:
Certificate Revocation List (CRL)
A CRL is a list of revoked certificates (by serial number) that have been issued and then subsequently revoked by a given CA. CRLs are generally published on a periodic interval or can be published only when a certificate is revoked by the CA.

The CRL, like a certificate, is signed by the owning CA to ensure the authenticity of the CRL contents and has a start and end (expiration) date and time. The start date and time is known as thisUpdate and the end date and time is known as the nextUpdate.

Supported CRLs can be obtained from a dedicated LDAP server or through a certificate's CRL Distribution Point (CDP) extension. HTTP Uniform Resource Identifier (URIs) values within the CDP may be used.

System SSL uses the HTTP/1.1 protocol to send the HTTP CRL request and requires an HTTP/1.0 or HTTP/1.1 protocol response. The HTTP response must include a valid content-length field that has the length of the CRL in bytes.

For information about configuring your SSL application to perform CRL revocation checking for SSL secure connections, see SSL/TLS partner certificate revocation checking.

For information about utilizing CRL revocation information from a CMS application, see gsk_validate_certificate_mode().

Online Certificate Status Protocol (OCSP) responses
OCSP is an internet protocol used for obtaining the revocation status of an x.509 certificate. The protocol defines the type of data that is exchanged between the requester of the revocation status (OCSP client) and the server (OCSP responder) providing the revocation status information. Certificate revocation information is provided by the OCSP responder through an OCSP response.

The OCSP response, like a CRL, is signed by the owning CA (or designated CA) to ensure the authenticity of the OCSP response contents. If the OCSP response signing certificate contains a key usage extension, the crlSign, digitalSignature, or nonRepudiation bits must be set. If the OCSP response signing certificate contains an extended key usage extension, the ocspSigning capability must be specified. The OCSP response has a start and end (expiration) date and time. The start date and time is known as thisUpdate and the end date and time is known as the nextUpdate.

Supported OCSP responses can be obtained from a dedicated OCSP responder or through OCSP responders identified through a certificate's Authority Information Access (AIA) extension. AIA extensions may be used when the extension contains an entry with an OCSP access method and a URI access location. The AIA extension can contain multiple entries.

System SSL uses the HTTP/1.1 protocol to send the OCSP request and requires the OCSP response to use either an HTTP/1.0 or HTTP/1.1 protocol response. The HTTP response must include a valid content-length field that has the length of the OCSP response in bytes.

For information about configuring your SSL application to perform OCSP revocation checking for SSL secure connection, see SSL/TLS partner certificate revocation checking.

For information about utilizing OCSP revocation information from a CMS application, see gsk_validate_certificate_mode().