NetIQ Certificate Server provides a system for managing Certificate Revocation Lists (CRLs). This is an optional system, but it must be implemented if you want to be able to revoke certificates created by the Organizational CA.
A CRL is a published list of revoked certificates and the reason the certificates were revoked.
During the Certificate Server installation, a CRL container is created if the user has the appropriate rights to create it. If not, the CRL container can be created manually by someone with the appropriate rights after the installation is completed.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select NetIQ Certificate Server > Configure Certificate Authority.
If a CRL container already exists, you are brought to the Organizational CA's property page.
If no CRL container exists, this launches a wizard that creates a CRL container and a CRL Configuration object to go in the container.
Follow the wizard to completion.
Deleting a CRL container is possible, but it is not recommended.
The general rule is to not delete a CRL container, CRL configuration object, CRL object, or CRL file until one issue date after the last certificate that contains a related distribution point has expired.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select Directory Administration > Delete Object.
Browse for and select the CRL container you want to delete.
Click OK > OK.
A CRL Configuration object can be created in the CRL container. This is an object that contains the configuration information for the CRL objects that are available in the eDirectory tree. Normally, you have only one CRL Configuration object in your tree. You might need multiple CRL Configuration objects if you are creating or rolling over a new Organizational CA, but only one CRL Configuration object can be used to create new certificates.
The CRL Configuration object resides in the CRL container.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select NetIQ Certificate Server > Configure Certificate Authority and then do one of the following:
If no CRL container exists, this launches a wizard that creates a CRL container and a CRL Configuration object to go in the container. Follow the wizard to completion.
If a CRL container exists, but no CRL Configuration object exists, this launches a wizard that creates a CRL Configuration object to go in the container. Follow the wizard to completion.
If a CRL container exists and a CRL Configuration object exists, you are brought to the Organizational CA's property page. Continue with Step 4.
Click the CRL tab.
Click New.
Type the name of the new CRL configuration object, then click OK.
Follow the wizard to completion.
Only one CRL Configuration object can be active in an eDirectory tree at one time. If you have more than one CRL Configuration object, you must choose which one to activate. By default, the first CRL Configuration object created is active.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select NetIQ Certificate Server > Configure Certificate Authority.
Click the CRL tab.
Select a CRL Configuration object, then click Make Active.
Click OK or Apply.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select NetIQ Certificate Server > Configure Certificate Authority.
Click the CRL tab.
Click on the name of the CRL Configuration object you want to view or modify.
Click OK or Apply.
The standard LDAP type for Certificate Revocation Lists limits the size of the CRL to 64 KB. To change this limitation, you must create the CRL directory entries with NetIQ-defined types. In order for the LDAP distribution points to be found, you must map the standard LDAP types to the NetIQ LDAP types by doing the following:
Launch iManager.
Log in to the eDirectory as an administrator with the appropriate rights.
On the Roles and Tasks menu, select LDAP > LDAP Options.
Click the View LDAP Groups tab, then select the LDAP group that needs to be mapped.
Click the General tab, select the Attribute Map page, and make the following changes:
The default mapping from Primary LDAP Attribute certificateRevocationList; binary (and secondary attribute certificateRevocationList) to the eDirectory attribute certificateAuthorityList should be changed to the eDirectory attribute ndspkiCertificateRevocationList (that is, change the eDirectory attribute from certificateAuthorityList to ndspkiCertificateRevocationList).
The default mapping from Primary LDAP Attribute authorityRevocationList;binary (secondary attribute authorityRevocationList) to the eDirectory attribute authorityRevocationList should be changed to the eDirectory attribute ndspkiAuthorityRevocationList (that is, change the eDirectory attribute from authorityRevocationList to ndspkiAuthorityRevocationList).
The default mapping from Primary LDAP Attribute deltaRevocationList;binary (secondary attribute deltaRevocationList) to the eDirectory attribute deltaRevocationList should be changed to the eDirectory attribute ndspkiDeltaRevocationList (i.e. change the eDirectory attribute from deltaRevocationList to ndspkiDeltaRevocationList).
Click OK.
On the Roles and Tasks menu, select LDAP > LDAP Options.
Click the View LDAP Servers tab, then select the server that hosts the LDAP distribution point.
Click the General tab, then select the Information page.
Click the refresh button.
This restarts the LDAP service, and it begins using the correct mapping for the CRL attributes.
For more information on LDAP management, see “Configuring LDAP Services for NetIQ eDirectory” in the NetIQ eDirectory 8.8 SP8 Administration Guide.
When configuring Certificate Server to use an HTTP distribution point, it is important that you specify a location that is accessible to users wanting to validate certificates. If a user cannot locate a CRL for a certificate containing a distribution point, the certificate is considered invalid. The distribution point must be located in a directory that is available to the Web server specified by the HTTP address in the distribution point. If that directory is not on the same server that is hosting the Certificate Authority, the CRL must be moved manually, with a script, or created on a mounted directory.
Deleting a CRL Configuration object is possible, but it is not recommended. When a CRL Configuration object is deleted, the server quits creating the CRL files. If a CRL file already exists in the location specified in the CRL object, certificate validation continues to use it until it expires. After it expires, all certificates that have a CRL distribution point that references that CRL file fail validation.
The general rule is to not delete a CRL container, CRL configuration object, CRL object, or CRL file until one issue date after the last certificate that contains a related distribution point has expired.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks
On the Roles and Tasks menu, select Directory Administration > Delete Object.
Browse for and select the CRL Configuration object you want to delete.
Click OK > OK.
This task allows you to create a CRL object (cRLDistributionPoint) to store third-party CRLs in eDirectory. This object can be created in any container in the eDirectory tree. But as a general rule, NetIQ CRL objects reside in a CRL Configuration object and do not need to be created manually. A CRL object is automatically created for you when you create a CRL Configuration object.
The CRL object contains a CRL file, which contains the detailed CRL information. For a NetIQ CRL object, the CRL file is automatically created and updated whenever the server issues a new one. For other CRL objects, you must import a CRL file from a third-party CA.
NOTE:The term CRL Distribution Point is used in different ways. It is the eDirectory schema object name for the CRL object and it can be used in general terms as the point where the CRL information is published.
To create a CRL object:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select NetIQ Certificate Server > Create CRL Object.
Type a name for the object and provide the context where you want the object to reside.
Paste a copy of the CRL into the field or read it from a CRL file.
Click Finish to create the object.
You can export the CRL that is contained in the CRL Distribution Point object to a file.
To export a NetIQ CRL file:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select NetIQ Certificate Server > Configure Certificate Authority.
Click the CRL tab.
Click the name of the CRL Configuration object, then click Details.
Click Export.
Select an output format, then click Next.
To save the exported CRL to a file, click Save, then specify a location for the file.
Click OK > OK.
To export a third-party CRL file:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select Directory Administration > Modify Object.
Browse for and select the CRL Configuration object, then click OK.
Click Export.
Select an output format, then click Next.
To save the exported CRL to a file, click Save, then specify a location for the file.
Click OK > OK.
You can replace a CRL file, but it is not recommended.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select NetIQ Certificate Server > Configure Certificate Authority.
Click the CRL tab.
Click the name of the CRL Configuration object, then click Details.
Click Replace.
Click OK to continue.
Browse for and select the new CRL file.
Click OK.
If a CRL file does not exist on the CRL Configuration object, the Import button is displayed.
The administrator can extend the validity of the CRL file using iManager. To extend the validity, perform the following steps:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select NetIQ Certificate Server > Configure Certificate Authority.
Click the CRL tab.
Click the name of the CRL file.
Select Extend validity by following hours under Next CRL Issuance and mention the number of hours in the next box. You can enter any value ranging from 1 to 12 hours in this field.
Click Issue Now.
To view a NetIQ CRL object's properties:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select NetIQ Certificate Server > Configure Certificate Authority.
Click the CRL tab.
Click the name of the CRL Configuration object, then click Details.
You can now view the CRL object's properties.
When you are finished viewing properties, click OK or Apply.
To view a third-party CRL object's properties:
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, select Directory Administration > Modify Object.
Browse to and click the CRL object you want to view, then click OK.
Click Edit.
You can now view the CRL object's properties.
When you are finished viewing properties, click OK or Apply.
If you delete a CRL object, it is re-created the next time the server generates the CRL file. If you delete a CRL object that you created using iManager and import it, then it is gone permanently and any certificates that reference it are considered invalid.
The general rule is to not delete a CRL container, CRL configuration object, CRL object, or CRL file until one issue date after the last certificate that contains a related distribution point has expired.
Launch iManager.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On the Roles and Tasks menu, click Directory Administration > Delete Object.
Browse to and click the CRL object you want to delete.
Click OK > OK.