Novell Certificate Server provides a system for managing Certificate Revocation Lists (CRLs). This is an optional system, but it must be implemented if you want to be able to revoke certificates created by the Organizational CA.
A CRL is a published list of revoked certificates and the reason the certificates were revoked.
During the Certificate Server installation, a CRL container is created if the user has the appropriate rights to create it. If not, the CRL container can be created manually by someone with the appropriate rights after the installation is completed.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .If a CRL container already exists, you are brought to the Organizational CA's property page.
If no CRL container exists, this launches a wizard that creates a CRL container and a CRL Configuration object to go in the container.
Follow the wizard to completion.
Deleting a CRL container is possible, but it is not recommended.
The general rule is to not delete a CRL container, CRL configuration object, CRL object, or CRL file until one issue date after the last certificate that contains a related distribution point has expired.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .Browse for and select the CRL container you want to delete.
Click
> .A CRL Configuration object can be created in the CRL container. This is an object that contains the configuration information for the CRL objects that are available in the eDirectory tree. Normally, you have only one CRL Configuration object in your tree. You might need multiple CRL Configuration objects if you are creating or rolling over a new Organizational CA, but only one CRL Configuration object can be used to create new certificates.
The CRL Configuration object resides in the CRL container.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > and then do one of the following:If no CRL container exists, this launches a wizard that creates a CRL container and a CRL Configuration object to go in the container. Follow the wizard to completion.
If a CRL container exists, but no CRL Configuration object exists, this launches a wizard that creates a CRL Configuration object to go in the container. Follow the wizard to completion.
If a CRL container exists and a CRL Configuration object exists, you are brought to the Organizational CA's property page. Continue with Step 4.
Click the
tab.Click
.Type the name of the new CRL configuration object, then click
.Follow the wizard to completion.
Only one CRL Configuration object can be active in an eDirectory tree at one time. If you have more than one CRL Configuration object, you must choose which one to activate. By default, the first CRL Configuration object created is active.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .Click the
tab.Select a CRL Configuration object, then click
.Click
or .Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .Click the
tab.Click on the name of the CRL Configuration object you want to view or modify.
Click
or .The standard LDAP type for Certificate Revocation Lists limits the size of the CRL to 64 KB. To change this limitation, you must create the CRL directory entries with Novell-defined types. In order for the LDAP distribution points to be found, you must map the standard LDAP types to the Novell LDAP types by doing the following:
Launch iManager.
Log in to the eDirectory as an administrator with the appropriate rights.
On the
menu, select > .Click the
tab, then select the LDAP group that needs to be mapped.Click the
tab, select the Attribute Map page, and make the following changes:The default mapping from Primary LDAP Attribute certificateRevocationList; binary (and secondary attribute certificateRevocationList) to the eDirectory attribute certificateAuthorityList should be changed to the eDirectory attribute ndspkiCertificateRevocationList (that is, change the eDirectory attribute from certificateAuthorityList to ndspkiCertificateRevocationList).
The default mapping from Primary LDAP Attribute authorityRevocationList;binary (secondary attribute authorityRevocationList) to the eDirectory attribute authorityRevocationList should be changed to the eDirectory attribute ndspkiAuthorityRevocationList (that is, change the eDirectory attribute from authorityRevocationList to ndspkiAuthorityRevocationList).
The default mapping from Primary LDAP Attribute deltaRevocationList;binary (secondary attribute deltaRevocationList) to the eDirectory attribute deltaRevocationList should be changed to the eDirectory attribute ndspkiDeltaRevocationList (i.e. change the eDirectory attribute from deltaRevocationList to ndspkiDeltaRevocationList).
Click OK.
On the
menu, select > .Click the
tab, then select the server that hosts the LDAP distribution point.Click the
tab, then select the Information page.Click the refresh button.
This restarts the LDAP service, and it begins using the correct mapping for the CRL attributes.
For more information on LDAP management, see “Configuring LDAP Services for Novell eDirectory” in the Novell eDirectory 8.8 SP7 Administration Guide.
When configuring Certificate Server to use an HTTP distribution point, it is important that you specify a location that is accessible to users wanting to validate certificates. If a user cannot locate a CRL for a certificate containing a distribution point, the certificate is considered invalid. The distribution point must be located in a directory that is available to the Web server specified by the HTTP address in the distribution point. If that directory is not on the same server that is hosting the Certificate Authority, the CRL must be moved manually, with a script, or created on a mounted directory.
Deleting a CRL Configuration object is possible, but it is not recommended. When a CRL Configuration object is deleted, the server quits creating the CRL files. If a CRL file already exists in the location specified in the CRL object, certificate validation continues to use it until it expires. After it expires, all certificates that have a CRL distribution point that references that CRL file fail validation.
The general rule is to not delete a CRL container, CRL configuration object, CRL object, or CRL file until one issue date after the last certificate that contains a related distribution point has expired.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks
On the
menu, select > .Browse for and select the CRL Configuration object you want to delete.
Click
> .This task allows you to create a CRL object (cRLDistributionPoint) to store third-party CRLs in eDirectory. This object can be created in any container in the eDirectory tree. But as a general rule, Novell CRL objects reside in a CRL Configuration object and do not need to be created manually. A CRL object is automatically created for you when you create a CRL Configuration object.
The CRL object contains a CRL file, which contains the detailed CRL information. For a Novell CRL object, the CRL file is automatically created and updated whenever the server issues a new one. For other CRL objects, you must import a CRL file from a third-party CA.
NOTE:The term CRL Distribution Point is used in different ways. It is the eDirectory schema object name for the CRL object and it can be used in general terms as the point where the CRL information is published.
To create a CRL object:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .Type a name for the object and provide the context where you want the object to reside.
Paste a copy of the CRL into the field or read it from a CRL file.
Click
to create the object.You can export the CRL that is contained in the CRL Distribution Point object to a file.
To export a Novell CRL file:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .Click the
tab.Click the name of the CRL Configuration object, then click
.Click
.Select an output format, then click
.To save the exported CRL to a file, click
, then specify a location for the file.Click
> .To export a third-party CRL file:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .Browse for and select the CRL Configuration object, then click
.Click
.Select an output format, then click
.To save the exported CRL to a file, click
, then specify a location for the file.Click
> .You can replace a CRL file, but it is not recommended.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .Click the
tab.Click the name of the CRL Configuration object, then click
.Click
.Click
to continue.Browse for and select the new CRL file.
Click
.If a CRL file does not exist on the CRL Configuration object, the
button is displayed.To view a Novell CRL object's properties:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .Click the
tab.Click the name of the CRL Configuration object, then click
.You can now view the CRL object's properties.
When you are finished viewing properties, click
or .To view a third-party CRL object's properties:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, select > .Browse to and click the CRL object you want to view, then click
.Click
.You can now view the CRL object's properties.
When you are finished viewing properties, click
or .If you delete a CRL object, it is re-created the next time the server generates the CRL file. If you delete a CRL object that you created using iManager and import it, then it is gone permanently and any certificates that reference it are considered invalid.
The general rule is to not delete a CRL container, CRL configuration object, CRL object, or CRL file until one issue date after the last certificate that contains a related distribution point has expired.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the
menu, click > .Browse to and click the CRL object you want to delete.
Click
> .