217
Certificate revocation list
A certificate revocation list (CRL) is a list of serial numbers for certificates that have been revoked. A CRL
is created and signed by the CA that originally issued the certificates.
The CA publishes CRLs periodically to revoke certificates. Entities that are associated with the revoked
certificates should not be trusted.
The CA must revoke a certificate when any of the following conditions occurs:
•
The certificate subject name is changed.
•
The private key is compromised.
•
The association between the subject and CA is changed. For example, when an employee
terminates employment with an organization.
CA policy
A CA policy is a set of criteria that a CA follows to process certificate requests, to issue and revoke
certificates, and to publish CRLs. Typically, a CA advertises its policy in a certification practice statement
(CPS). You can obtain a CA policy through out-of-band means such as phone, disk, and email. Make
sure you understand the CA policy before you select a trusted CA for certificate request because different
CAs might use different policies.
PKI architecture
A PKI system consists of PKI entities, CAs, RAs and a certificate/CRL repository, as shown in
.
Figure 73
PKI architecture
•
PKI entity
—An end user using PKI certificates. The PKI entity can be an operator, an organization,
a device like a router or a switch, or a process running on a computer. PKI entities use SCEP to
communicate with the CA or RA.
•
CA
—Certification authority that grants and manages certificates. A CA issues certificates, defines
the certificate validity periods, and revokes certificates by publishing CRLs.
•
RA
—Registration authority, which offloads the CA by processing enrollment requests. The RA
accepts certificate requests, verifies user identity, and determines whether to ask the CA to issue
certificates.
The RA is optional in a PKI system. In cases when the CA operates over a wide geographical area
or when there is security concern over exposing the CA to direct network access, it is advisable to