129
12.4.1-B
CA revocation list
If applications rely on the certificate trust chain for authentication you might have to
face the problem, that a certain certificate must no longer be accepted, although it didn't
expire yet. A typical example is the certificate of an employee who leaves the company
or the certificate which is installed on a stolen notebook. A certification authority (CA)
can publish a certificate revocation list (CRL) to invalidate certificates ahead of time.
The CRL has to be installed on every system which could be
a potential target of an unauthorised connection authenticated
with a revoked certificate.
CRL distribution point
When issuing a new certificate a URL can be included which will always serve an up-
to-date copy of the current CRL. So a system which is trying to verify the certificate can
access the current CRL itself.
When a new CRL has been issued, you must not forget to copy
it to the server.
Export certificate revocation list
You can download the CRL in PEM format here.
Create a new certificate revocation list
Every time you revoke a new certificate, you have to generate a new CRL here.
The CRL has to be signed by the CA with the root certificate.
Don't forget to install the new revocation list on all relevant
systems. At the end of the CRL update process you can continue
installing the new CRL in SX-GATE's VPN server. Updating the
VPN server CRL is also possible in menu "Modules > Network
> Settings".