Testing Cmc Revoke; About Crls - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

NOTE
Surround values that include spaces in quotation marks.

14.2.2. Testing CMC Revoke

1. Create a CMC revocation request for an existing certificate.
revoker -d /instance/alias -n nickname -i issuerName -s serialName
-m reason -c comment
For example, if the directory containing the agent certificate is /var/lib/rhpki-ca/alias,
the nickname of the certificate is AgentCert, and the serial number of the certificate is 22, the
command is as shown:
revoker -d "/var/lib/rhpki-ca/alias" -n "ManagerAgentCert" -i "cn=agentAuthMgr"
-s 22 -m 0 -c "test comment"
2. Open the end-entities page at https://localhost/ca/.
3. Select the Revocation tab.
4. Select the CMC Revoke link on the menu.
5. Paste the output from the revoker into the text area.
6. Remove -----BEGIN NEW CERTIFICATE REQUEST----- and ----END NEW CERTIFICATE
REQUEST----- from the pasted content.
7. Click Submit.
8. The returned page should confirm that correct certificate was been revoked.

14.3. About CRLs

Server and client applications that use public-key certificates as ID tokens need access to information
about the validity of a certificate. Because one of the factors that determines the validity of a certificate
is its revocation status, these applications need to know whether the certificate being validated has
been revoked. The CA has a responsibility to do the following:
• Revoke the certificate if any of the certificate information becomes false.
• Make the revoked certificate status available to parties or applications that need to verify its validity
status.
Whenever a certificate is revoked, the Certificate Manager automatically updates the status of the
certificate in its internal database, it marks the copy of the certificate in its internal database as
revoked and removes the revoked certificate from the publishing directory, if the Certificate Manager is
configured to remove the certificate from the database.
Testing CMC Revoke
323