Revoking Certificates - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Revoking Certificates

B.5.4. Revoking Certificates
Like a driver's license, a certificate specifies a period of time during which it is valid. Attempts to use a
certificate for authentication before or after its validity period will fail. Managing certificate expirations is
an essential part of the certificate management strategy. For example, an administrator may wish to be
notified automatically when a certificate is about to expire so that an appropriate replacement process
can be completed without disrupting the system operation.
Additionally, it may be necessary to revoke a certificate before it has expired, such as when an
employee leaves a company or moves to a new job in a different unit within the company.
Certificate revocation can be handled in several different ways. Servers can be configured so that the
authentication process checks the directory for the presence of the certificate being presented. When
an administrator revokes a certificate, the certificate can be automatically removed from the directory,
and subsequent authentication attempts with that certificate will fail, even though the certificate
remains valid in every other respect. Alternatively, a list of revoked certificates, a certificate revocation
list (CRL), can be published to the directory at regular intervals. The CRL can be checked as part of
the authentication process. The issuing CA can also be checked directly each time a certificate is
presented for authentication. This procedure is sometimes called real-time status checking.
505