Enabling Certificate Revocation List (CRL) in SSL
- Directives Needed to set up Certificate Revocation List (CRL)
- Directives Supported in Global Server and Virtual Host
- Related Information
Certificate revocation provides the ability to revoke a client certificate given to the IHS server by the browser, if the key has been compromised, or if access permission to the key has been revoked. CRL is a database which contains a list of certificates that have been revoked before their scheduled expiration date. If you want to enable certificate revocation in IBM HTTP Server (IHS), place the CRL database on an LDAP server. Once the CRL database is placed on an LDAP server, you can use the IHS configuration file to access it. The CRL database is used to determine if a requested client certificate has been revoked.
Directives Needed to Set up Certificate Revocation List (CRL):
The SSLClientAuth directive can include two options at once. These options are:
- SSLClientAuth 2 crl
- SSLClientAuth 1 crl
The "crl" option, turns crl on and off inside an SSL virtual host. If you specify "crl" as an option then you have elected to turn crl on. If "crl" is not specified as an option, then crl remains off. If the first option for SSLClientAuth is 0/none, then you cannot use the second option, "crl". If client authentication is not on, then crl processing will not take place.
Directives Supported in Global Server and Virtual Host
The following directives are supported in a global server and virtual host:
- SSLCRLHostname (IP Address/host of LDAP Server where CRL DB resides)
- SSLCRLPort (Port of LDAP server where CRL DB resides); default: 389
- SSLCRLUserID (User ID to send to the LDAP server where CRL DB resides - defaults to anonymous if bind is not specified.)
- SSLStashfile (Fully qualified path to file where the password for the user name on the LDAP server resides - not required
for anonymous bind. Use when a user ID is specified.)
Use the sslstash command, located in the bin directory of IBM HTTP Server, to create your
CRL password stashfile. The password you specify using the sslstash command should be the same one you use
to login to your LDAP server.
- Usage: sslstash [-c] <directory to password file and filename> <function name> <password>
- -c: Create a new stash file. If not specified, an existing file is updated
- File: Fully qualified name of the file to create or update
- Function: Function for which the password is used. Valid values are "crl" or "crypto"
- Password: The password to stash
| Related information... |
(Back to Top)