Revocation Checking By Red Hat Servers; Publishing Of Crls - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

About CRLs
A certificate can be revoked by administrators, agents, and end entities. Agents and
administrators (with agent privileges) can revoke certificates by using the forms provided in
the agent interface. End users can revoke certificates by using the forms provided in the
Revocation tab of the end-entity interface. Note that end users can revoke only their own
certificates, whereas agents and administrators can revoke any certificates issued by the
server. End users are also required to authenticate to the server in order to revoke their
certificate.
Whenever a certificate is revoked, the Certificate Manager updates the status of the
certificate in its internal database. This way, the server keeps track of all revoked
certificates in its internal database and, when configured, it makes the revoked list of
certificates public (by publishing it to a central repository) to notify other users that the
certificates in the list are no longer valid.

Revocation Checking by Red Hat Servers

Because Red Hat servers currently cannot check the revocation status of a certificate, you
should use other forms of access control. For example, you can remove individual users
from access groups to prevent them from accessing the server.
Because CS can check the revocation status of the certificates that it issues, you do not need
to rely on other forms of access control.

Publishing of CRLs

The Certificate Manager can publish the CRL to a file, an LDAP-compliant directory, or to
an OCSP responder. You can set up publishing to one, or all of these methods, and
configure how often updates are made.
For information about setting up publishing to any of these methods, see Chapter 16,
"Publishing."
For information on setting up an OCSP responder, see Chapter 5, "OCSP Responder."
576 Red Hat Certificate System Administrator's Guide • September 2005