Certificate Revocation

Certificate revocation checking is one phase of certificate validation that is done as part of session negotiation. The certificate chain is validated to ensure that the certificate is not revoked.

The following steps apply for certificate revocation checking:
  1. Check revocation status with a Certificate Revocation List (CRL) location.
    1. When a CRL location is configured through the Digital Certificate Manager (DCM), a CRL database (LDAP) server is queried for CRLs containing the revocation status of the certificate.
      • If the certificate is revoked, the certificate revocation phase of certificate validation is complete and the session negotiation fails.
      • Otherwise, continue with certificate revocation processing.
      Note: CRL locations are configured individually for each certificate authority (CA) in a local certificate store.
  2. Check revocation status with Online Certificate Status Protocol (OCSP).
    1. When an OCSP URL responder address is configured, query the responder.
      • If the certificate is revoked, the certificate revocation phase of certificate validation is complete and the session negotiation fails.
      • If the certificate is good, the certificate revocation phase of certificate validation is complete and certificate validation continues.
      • If the certificate revocation status is undetermined, continue with certificate revocation processing.
    2. When AIA checking is enabled and the certificate has a PKIK_AD_OCSP access method with a URI that indicates the HTTP location, query the responder.
      • If the certificate is revoked, the certificate revocation phase of certificate validation is complete and the session negotiation fails.
      • If the certificate is good, the certificate revocation phase of certificate validation is complete and certificate validation continues.
      • If the certificate revocation status is undetermined, the certificate revocation phase of certificate validation is complete and certificate validation continues.
    Note: If revocation status is undetermined, GSKit stores information about the certificate for which revocation status is undetermined and continues as if the status is not revoked. The application can retrieve undetermined certificate status information with gsk_attribute_get_buffer() and attribute GSK_UNKNOWNREVOCATIONSTATUS_SUBJECT and make a policy decision on whether to continue or end the connection.
Note: An application definition that is configured in DCM can override CRL and OCSP revocation checking that is configured by an application that uses the application definition.