Novell Certificate Server provides a system for managing Certificate Revocation Lists (CRLs). This is an optional system, but it must be implemented if you want to be able to revoke certificates created by the Organizational CA.
A CRL is a published list of revoked certificates and the reason the certificates were revoked.
During the Certificate Server installation, a CRL container is created if the user has the appropriate rights to create it. If not, the CRL container can be created manually by someone with the appropriate rights after the installation is completed.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select Novell Certificate Server > Configure Certificate Authority.
If a CRL container already exists, you are brought to the Organizational CA's property page.
If no CRL container exists, this launches a wizard that creates a CRL container and a CRL Configuration object to go in the container.
Follow the wizard to completion.
Deleting a CRL container is possible, but it is not recommended.
The rule of thumb is don't delete a CRL container, CRL configuration object, CRL object, or CRL file until one issue date after the last certificate that contains a related distribution point has expired.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select eDirectory Administration > Delete Object.
Browse for and select the CRL container you want to delete.
Click OK > OK.
A CRL Configuration object can be created in the CRL container. This is an object that contains the configuration information for the CRL objects that are available in the eDirectory tree. Normally, you have only one CRL Configuration object in your tree. You might need multiple CRL Configuration objects if you are creating or rolling over a new Organizational CA, but only one CRL Configuration object can be used to create new certificates.
The CRL Configuration object resides in the CRL container.
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select Novell Certificate Server > Configure Certificate Authority and then do one of the following:
Click the CRL Configuration tab.
Click New.
Type the name of the new CRL configuration object, then click OK.
Follow the wizard to completion.
Only one CRL Configuration object can be active in an eDirectory tree at one time. If you have more than one CRL Configuration object, you must choose which one to activate. By default, the first CRL Configuration object created is active.
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select Novell Certificate Server > Configure Certificate Authority.
Click the CRL Configuration tab.
Select a CRL Configuration object, then click Actions > Make Active.
Click OK or Apply.
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select Novell Certificate Server > Configure Certificate Authority.
Click the CRL Configuration tab.
Select a CRL Configuration object, then click Edit.
You can view or modify the CRL Configuration object's properties.
Click OK or Apply.
The standard LDAP type for Certificate Revocation Lists limits the size of the CRL to 64 KB. To change this limitation, you must create the CRL directory entries with Novell-defined types. In order for the LDAP distribution points to be found, you must map the standard LDAP types to the Novell LDAP types by doing the following:
Launch Novell iManager.
Log in to the eDirectory as an administrator with the appropriate rights.
From the Roles and Tasks menu, select LDAP > LDAP Options.
Click the View LDAP Groups tab, then select the LDAP group that needs to be mapped.
Click the General tab, then select the Attribute Map page.
Edit authorityRevocationList and set the Primary LDAP Attribute to ndspkiauthorityRevocationList.
Edit certificateRevocationList and set the Primary LDAP Attribute to ndspkicertificateRevocationList.
Edit deltaRevocationList and set the Primary LDAP Attribute to ndspkideltaRevocationList.
Click OK.
From the Roles and Tasks menu, select LDAP > LDAP Options.
Click the View LDAP Servers tab, then select the server that hosts the LDAP distribution point.
Click the General tab, then select the Information page.
Click the refresh button.
This will restart the LDAP service and it will begin using the correct mapping for the CRL attributes.
For more information on LDAP management, see Configuring LDAP Services for Novell eDirectory in the eDirectory Administration Guide.
When configuring Certificate Server to use an HTTP distribution point, it is important that you specify a location that is accessible to users wanting to validate certificates. If a user cannot locate a CRL for a certificate containing a distribution point, the certificate will be considered invalid. The distribution point must be located in a directory that is available the Web server specified by the HTTP address in the distribution point. If that directory is not on the same server that is hosting the Certificate Authority, the CRL must be moved manually, with a script, or created on a mounted directory.
Deleting a CRL Configuration object is possible, but it is not recommended. When a CRL Configuration object is deleted, the server quits creating the CRL files. If a CRL file already exists in the location specified in the CRL object, certificate validation continues to use it until it expires. After it expires, all certificates that have a CRL distribution point that references that CRL file fail validation.
The rule of thumb is don't delete a CRL container, CRL configuration object, CRL object, or CRL file until one issue date after the last certificate that contains a related distribution point has expired.
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks
From the Roles and Tasks menu, select eDirectory Administration > Delete Object.
Browse for and select the CRL Configuration object you want to delete.
Click OK > OK.
This task allows you to create a CRL object (cRLDistributionPoint) to store third-party CRLs in eDirectory. This object can be created in any container in the eDirectory tree. But as a general rule, Novell CRL objects reside in a CRL Configuration object and do not need to be created manually. A CRL object is automatically created for you when you create a CRL Configuration object.
The CRL object contains a CRL file, which contains the detailed CRL information. For a Novell CRL object, the CRL file is automatically created and updated whenever the server issues a new one. For other CRL objects, you must imported a CRL file from a third-party CA.
NOTE: The term CRL Distribution Point is used in a couple of ways. It is the eDirectory schema object name for the CRL object and it can be used in general terms as the point where the CRL information is published.
To create a CRL object using:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select Novell Certificate Server > Create CRL Object.
Type a name for the object and provide the context where you want the object to reside.
Paste a copy of the CRL into the field or read it from a CRL file.
Click OK to create the object.
You can export the CRL that is contained in the CRL Distribution Point object to a file.
To export a Novell CRL file:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select Novell Certificate Server > Configure Certificate Authority.
Click the CRL Configuration tab.
Select a CRL Configuration object, then click Actions > Details.
Click Export.
Select an output format, then click Next.
Click Save the Exported CRL to a File, click Save, then specify a location for the file.
Click OK > OK.
To export a third-party CRL file:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select eDirectory Administration > Modify Object.
Browse for and select the CRL Configuration object, then click OK.
Click Export.
Select an output format, then click Next.
Click Save the Exported CRL to a File, click Save, then specify a location for the file.
Click OK > OK.
You can replace a CRL file, but it is not recommended.
To replace a CRL file:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select eDirectory Administration > Modify Object.
Browse to and click on the CRL Configuration object, then click OK.
Click Replace.
Click OK to continue.
Browse for and select the new CRL file.
Click OK.
NOTE: If a CRL file does not exist on the CRL Configuration object, the Import button is displayed.
To view a Novell CRL object's properties:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select Novell Certificate Server > Configure Certificate Authority.
Click the CRL Configuration tab.
Select a CRL Configuration object, then click Actions > Details.
You can now view the CRL object's properties.
When you are finished viewing properties, click OK or Apply.
To view a third-party CRL object's properties:
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, select eDirectory Administration > Modify Object.
Browse to and click on the CRL object you want to view, then click OK.
Click Edit.
You can now view the CRL object's properties.
When you are finished viewing properties, click OK or Apply.
If you delete a CRL object, it is re-created the next time the server generates the CRL file. If you delete a CRL object that you created using iManager and import it, then it is gone permanently and any certificates that reference it are considered invalid.
The rule of thumb is don't delete a CRL container, CRL configuration object, CRL object, or CRL file until one issue date after the last certificate that contains a related distribution point has expired.
Launch Novell iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section 7.0, Entry Rights Needed to Perform Tasks.
From the Roles and Tasks menu, click eDirectory Administration > Delete Object.
Browse to and click on the CRL object you want to delete.
Click OK > OK.