CRL: Certificate Revocation List
- a list of revoked certificates published by a CA or a delegated CRL issuer
- a mechanism for canceling client-side certificate
- when issuing a certificate, the CA includes CRL infromation for the certificate in the certificate itself
- may or may not CDP information within the certificate
- the system compares the user's certificate against apporpriate CRL during authentication
- It determined to be valid, the system caches certificate attributes and applies
- if it determined that certificate is invalid, it cannot contact apporpriate CRL, or if CRL is expired, it denies the user access
CDP: CRL Distribution Point
- location on an LDAP directory server or Web server where CA publishes CRLs
- the system periodically contacts CDP to get an update of CRL
- the system downloads cRL information from CDP at the interval specified in the CRL, at interval that you specify during CRL configuration, and when manually download the CRL
- Use any of the following methods to notify the system of a certificate's CDO location
- Specify the CDP in CA certificate
- location of CDP may be included within the certificaate
- Specify the CDP in client certificate
- location of CDP may be included within the certificaate
- Require administrator to mannually enter the CDP location
- if neither CA or client certificate include the CDP llocation, you must manually specify how to download the CRL objecy
- Specify the CDP in CA certificate
Top comments (0)