Enabling Certificate Revocation Lists: IBM HTTP Server
System Administration IBM HTTP Server documentation

Enabling Certificate Revocation List (CRL) in SSL


Certificate revocation provides the ability to revoke a client certificate given to the IHS server by the browser, if the key has been compromised, or if access permission to the key has been revoked. CRL is a database which contains a list of certificates that have been revoked before their scheduled expiration date. If you want to enable certificate revocation in IBM HTTP Server (IHS), place the CRL database on an LDAP server. Once the CRL database is placed on an LDAP server, you can use the IHS configuration file to access it. The CRL database is used to determine if a requested client certificate has been revoked.

Directives Needed to Set up Certificate Revocation List (CRL):

The SSLClientAuth directive can include two options at once. These options are:

  • SSLClientAuth 2 crl
  • SSLClientAuth 1 crl

The "crl" option, turns crl on and off inside an SSL virtual host. If you specify "crl" as an option then you have elected to turn crl on. If "crl" is not specified as an option, then crl remains off. If the first option for SSLClientAuth is 0/none, then you cannot use the second option, "crl". If client authentication is not on, then crl processing will not take place.

Directives Supported in Global Server and Virtual Host

The following directives are supported in a global server and virtual host:

  • SSLCRLHostname (IP Address/host of LDAP Server where CRL DB resides)
  • SSLCRLPort (Port of LDAP server where CRL DB resides); default: 389
  • SSLCRLUserID (User ID to send to the LDAP server where CRL DB resides - defaults to anonymous if bind is not specified.)
  • SSLStashfile (Fully qualified path to file where the password for the user name on the LDAP server resides - not required for anonymous bind. Use when a user ID is specified.) Use the sslstash command, located in the bin directory of IBM HTTP Server, to create your CRL password stashfile. The password you specify using the sslstash command should be the same one you use to login to your LDAP server.
    • Usage: sslstash [-c] <directory to password file and filename> <function name> <password>
    • -c: Create a new stash file. If not specified, an existing file is updated
    • File: Fully qualified name of the file to create or update
    • Function: Function for which the password is used. Valid values are "crl" or "crypto"
    • Password: The password to stash
 
Related information...

     (Back to Top)