Revoking Certificates And Issuing Crls; About Revoking Certificates - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 6.
Revoking Certificates and Issuing
CRLs
The Certificate System provides methods for revoking certificates and for producing lists of revoked
certificates, called certificate revocation lists (CRLs). This chapter describes the methods for revoking
a certificate, describes CMC revocation, and provides details about CRLs and setting up CRLs.

6.1. About Revoking Certificates

Certificates can be revoked by an end user (the original owner of the certificate) or by a Certificate
Manager agent. End users can revoke certificates by using the revocation form provided in the end-
entities page. Agents can revoke end-entity certificates by using the appropriate form in the agent
services interface. Certificate-based (SSL client authentication) is required in both cases.
An end user can revoke only certificates that contain the same subject name as the certificate
presented for authentication. After successful authentication, the server lists the certificates belonging
to the end user. The end user can then select the certificate to be revoked or can revoke all certificates
in the list. The end user can also specify additional details, such as the date of revocation and
revocation reason for each certificate or for the list as a whole.
Agents can revoke certificates based on a range of serial numbers or based on subject name
components. When the revocation request is submitted, agents receive a list of certificates from which
they can pick the ones to be revoked. For instructions on how agents revoke end-entity certificates,
see the Certificate System Agent's Guide.
When it receives the CRL, the Certificate Manager marks the corresponding certificate records in its
internal database as revoked, and, if configured to do so, removes the revoked certificates from the
publishing directory and updates the CRL in the publishing directory.
Server and client applications that use public-key certificates as ID tokens need access to information
about the validity of a certificate. Because one of the factors that determines the validity of a certificate
is its revocation status, these applications need to know whether the certificate being validated has
been revoked. The CA has a responsibility to do the following:
• Revoke the certificate if any of the certificate information becomes false.
• Make the revoked certificate status available to parties or applications that need to verify its validity
status.
Whenever a certificate is revoked, the Certificate Manager automatically updates the status of the
certificate in its internal database, it marks the copy of the certificate in its internal database as
revoked and removes the revoked certificate from the publishing directory, if the Certificate Manager is
configured to remove the certificate from the database.
One of the standard methods for conveying the revocation status of certificates is by publishing a list
of revoked certificates, known a certificate revocation list (CRL). A CRL is a publicly available list of
certificates that have been revoked.
The Certificate Manager can be configured to generate CRLs. These CRLs can be created to conform
to X.509 standards by enabling extension-specific modules in the CRL configuration. The server
Section 6.3.3,
supports standard CRL extensions through its CRL issuing points framework; see
169