x.509 certificate revocation
- Encryption keys of the certificate have been compromised.
- Errors within an issued certificate.
- Change in usage of the certificate.
- Certificate owner is no longer deemed trusted.
- Certificate Revocation List (CRL)
- A CRL is a list of revoked certificates (by serial number) that have been issued and then
subsequently revoked by a given CA. CRLs are generally published on a periodic interval or can be
published only when a certificate is revoked by the CA.
The CRL, like a certificate, is signed by the owning CA to ensure the authenticity of the CRL contents and has a start and end (expiration) date and time. The start date and time is known as thisUpdate and the end date and time is known as the nextUpdate.
Supported CRLs can be obtained from a dedicated LDAP server or through a certificate's CRL Distribution Point (CDP) extension. HTTP Uniform Resource Identifier (URIs) values within the CDP may be used.
System SSL uses the HTTP/1.1 protocol to send the HTTP CRL request and requires an HTTP/1.0 or HTTP/1.1 protocol response. The HTTP response must include a valid content-length field that has the length of the CRL in bytes.
For information about configuring your SSL application to perform CRL revocation checking for SSL secure connections, see SSL/TLS partner certificate revocation checking.
For information about utilizing CRL revocation information from a CMS application, see gsk_validate_certificate_mode().
- Online Certificate Status Protocol (OCSP) responses
- OCSP is an internet protocol used for obtaining the revocation status of an x.509 certificate.
The protocol defines the type of data that is exchanged between the requester of the revocation
status (OCSP client) and the server (OCSP responder) providing the revocation status information.
Certificate revocation information is provided by the OCSP responder through an OCSP response.
The OCSP response, like a CRL, is signed by the owning CA (or designated CA) to ensure the authenticity of the OCSP response contents. If the OCSP response signing certificate contains a key usage extension, the crlSign, digitalSignature, or nonRepudiation bits must be set. If the OCSP response signing certificate contains an extended key usage extension, the ocspSigning capability must be specified. The OCSP response has a start and end (expiration) date and time. The start date and time is known as thisUpdate and the end date and time is known as the nextUpdate.
Supported OCSP responses can be obtained from a dedicated OCSP responder or through OCSP responders identified through a certificate's Authority Information Access (AIA) extension. AIA extensions may be used when the extension contains an entry with an OCSP access method and a URI access location. The AIA extension can contain multiple entries.
System SSL uses the HTTP/1.1 protocol to send the OCSP request and requires the OCSP response to use either an HTTP/1.0 or HTTP/1.1 protocol response. The HTTP response must include a valid content-length field that has the length of the OCSP response in bytes.
For information about configuring your SSL application to perform OCSP revocation checking for SSL secure connection, see SSL/TLS partner certificate revocation checking.
For information about utilizing OCSP revocation information from a CMS application, see gsk_validate_certificate_mode().