Example: confidence

What is a CRL? - Opus One&#174

PKI Interoperability Lab: what is a CRL? Page 1 of 2 what is a CRL?(and how do I use one?)A CRL is a Certificate Revocation List. When any certificate is issued, it has a validityperiod which is defined by the Certification Authority. Usually this is one or two time a certificate is presented as part of an authentication dialog, the current timeshould be checked against the validity period. If the certificate is past that period, orexpired, then the authentication should , sometimes certificates should not be honored even during their validityperiod. For example, if the private key associated with a certificate is lost or exposed,then any authentication using that certificate should be denied.

PKI Interoperability Lab: What is a CRL? Page 1 of 2 What is a CRL? (and how do I use one?) A CRL is a Certificate Revocation List. When any certificate is issued, it …

Tags:

  What, What is a crl

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of What is a CRL? - Opus One&#174

1 PKI Interoperability Lab: what is a CRL? Page 1 of 2 what is a CRL?(and how do I use one?)A CRL is a Certificate Revocation List. When any certificate is issued, it has a validityperiod which is defined by the Certification Authority. Usually this is one or two time a certificate is presented as part of an authentication dialog, the current timeshould be checked against the validity period. If the certificate is past that period, orexpired, then the authentication should , sometimes certificates should not be honored even during their validityperiod. For example, if the private key associated with a certificate is lost or exposed,then any authentication using that certificate should be denied.

2 Similarly, people willchange jobs, names, and companies. When their certificates are replaced, the oldcertificates have to be marked somehow as no longer accepted. The purpose of theCRL is to list certificates which are valid, but are starting point for the CRL is the CRLD istribution Point (the CDP), which is afield located in each certificate. The CDP isoptional, but most well-run PKIinstallations include a CDP in eachcertificate. In the screen shot to the left, youcan see the CDP we put in our iLabsdemonstration certificates issued by theMicrosoft Windows 2000 CA.

3 In this case,the CRL has two distribution points, oneavailable using an LDAP server and theother stored on an http course, having a pointer to the CDP isnot sufficient to activate the CRL. Inaddition, the client applications (such asyour WWW browser, a mail client, or othertools) must look at the CDP, retrieve theCRL, and look up the certificate in the CRLto be sure that it has not been few common applications (such as web browsers and email clients) actually checkthe CRL. Even those that do will often encounter certificates which have no CertificateDistribution Point entry.

4 For example, if you are using a WWW browser on the publicinternet, your browser does not, by default check the CDP. And it doesn t matter if youchange the setting: the largest and most important companies which sell certificates forWWW servers do not have a CDP, so even if you were interested in checking the CRL,you wouldn t know where to get of the few common applications which does check the CRL is Microsoft s InternetExplorer browser on the Windows platform. Although CRL checking is not the default,you can enable checking of the CRL by changing a setting in the Internet Interoperability Lab: what is a CRL?

5 Page 2 of 2A CRL, like a certificate, also has a validity date span. The date span ensures that theCRL is not used after a certain time (when it is likely to be out of date), but also allowsthe application checking the CRL to cache the CRL so that it doesn t have to keepdownloading it over and over again. In the two screen shots below, you can see the CRLloaded on our Windows 2000 Certification that our CRL has four certificates on it. Those are stored with their CertificationAuthority-specific serial numbers and a revocation date; the long Distinguished Namefield and all the other certificate fields can be omitted.

6 This keeps the certificatedistribution list fairly short. In addition, certificates which are no longer valid ( , theyhave expired) do not need to be held on the you care about revoked certificates, such as in a user-authentication environment,checking the CRL is particularly important. For example, in our iLabs demonstrationtestbed, the Check Point VPN gateway refused to authenticate end users unless it hadaccess to a CRL so that it could tell whether a user was still authorized to connect or this demonstration, we have revoked thecertificate of one of our web servers (the MicrosoftIIS server running on ).

7 Ifyou try to connect to this server with a web browserwhich checks CRLs, you should be warned thatyou re doing something which is not secure. Theweb browser will also block you from seeing thepage protected by the revoked certificate. You cantry this from our w6, w7, and w8 client machines.


Related search queries