Working with revoked certificates
Digital certificates can be revoked by Certificate Authorities. You can check the revocation status of certificates using OCSP, or CRLs on LDAP servers, depending on platform.
- The owner has moved to a different organization
- The private key is no longer secret
CAs publish revoked personal certificates in a Certificate Revocation List (CRL). CA certificates that have been revoked are published in an Authority Revocation List (ARL).
On UNIX, Linux® and Windows systems, WebSphere® MQ SSL support checks for revoked certificates using OCSP (Online Certificate Status Protocol) or using CRLs and ARLs on LDAP (Lightweight Directory Access Protocol) servers. OCSP is the preferred method. IBM® WebSphere MQ classes for Java and IBM WebSphere MQ classes for JMS cannot use the OCSP information in a client channel definition table file. However, you can configure OCSP as described in the section Using Online Certificate Protocol.
On z/Os and IBM i WebSphere MQ SSL support checks for revoked certificates using CRLs and ARLs on LDAP servers only.
For more information about Certificate
Authorities, see Digital certificates.