Certificate Revocation Lists (CRL)
If a key is compromised, a certificate must be revoked. Thus, every certificate must define an URI to its certificate revocation list. If the list contains the certificate, it has been revoked.
The CRL can be accessed via B2B. The B2B-CrlDownloadScheduler is executed periodically. It downloads the CRLs and provides them to the SecurityServer. The server maintains the revocation state of each certificate. The state is shown in the certificate overview.
The following revocation states are possible (compare class com.nextlevel.security.persistence.vo.RevocationState):
- AVAILABLE (GREEN): CRL is defined and certificate is not revoked. (And state is not OUT_OF_DATE)
- SELF_SIGNED (GREEN): Certificate is self-signed. Nobody can revoke it.
- MISSING (YELLOW): Certificate does not provide a CRL.
- OUT_OF_DATE (YELLOW): CRL is defined but has not been loaded for at least three days.
- UNDEFINED (YELLOW): Something unexpected happened. Ask your admin.
- REVOKED (RED): CRL is defined and certificate is revoked. (And state is not OUT_OF_DATE)
- NOT_APPLICABLE (GREY): If the entry is not a certificate but a private key.
A certificate can define multiple CRLs. In this case following holds for the revocation state:
- OUT_OF_DATE: At least one (default) / all (configurable) CRLs are out of date.
- REVOKED: At least one CRL revokes the certificate. (And state is not OUT_OF_DATE)
If a partner certificate is used, based on the revocation state of the certificate and all certificates in its chain a warning/error-code can result. If the certificate of the system or one in its chain would cause a revocation warning/error, only an information text is written to the security protocol. A partner certificate is used for signature verification (inbound) and encryption (outbound), a system certificate is used for signing (outbound) and decryption (inbound). The following Warning/ErrorCodes are available: (compare com.nextlevel.platform.security.server.rule.ErrorCodes)
- CW6.1 NO_CRL_DEFINITION_FOUND (except the root certificate)
- CW6.2 CRL_OUT_OF_DATE
- CW6.3 CERTIFICATE_REVOKED
Special handling for each of these codes can be configured via rulestore.
View Me Edit Me