Administer > Configuration > Common Access Card > Configure Certificate Revocation

Configure Certificate Revocation

You will need to revoke a certificate if it has been compromised in any way or if an employee leaves your organization.

The following are the methods to revoke a certificate:

  • Configure CSA to use a Certificate Revocation List (CRL)
  • Configure CSA to Use a Certificate Revocation List Distribution Point (CRL DP)
  • Configure CSA to Use the Online Certificate Status Protocol (OCSP)

Configure CSA to Use a Certificate Revocation List

The following is an example of how to revoke a certificate that was generated by the certificate authority and publish a Certificate Revocation List (CRL) that contains this certificate ID in the list. The CRL must already exist. You will download and save it in a folder on the system where CSA is installed and point to its location using the ca-revocation-url parameters.

  1. Copy the CRL file to the system where CSA is installed (for example, copy it to the
    <crl_file_directory> directory).
  2. In the CSA_HOME\jboss-as\standalone\configuration\standalone.xml file, add the ca-revocation-url="<crl_file>" attribute to the <truststore path="<location of truststore>" keystore-password="<truststore password>"/> element.

    For example, change the following from:

    <authentication>
       <truststore path="<location of truststore>" keystore-password="<truststore password>"/>
    </authentication>

    to:

    <authentication>
       <truststore path="<location of truststore>" keystore-password="<truststore password>" ca-revocation-url="<crl_file>"/>
    </authentication>

  3. Log in to the Cloud Service Management Console or the Marketplace Portal using a revoked certificate. The Secure Connection Failed message should display in the browser.

After restarting CSA (described below), you should log in to the Cloud Service Management Console or the Marketplace Portal using a revoked certificate. The Secure Connection Failed message should display in the browser.

Configure CSA to Use a Certificate Revocation List Distribution Point

To enable a Certificate Revocation List Distribution Point (CRL DP), edit the CSA_HOME\jboss-as\standalone\configuration\
standalone.xml
file and enable revocation and CRL DP by adding the following lines under <system-properties>:

<property name="com.sun.net.ssl.checkRevocation" value="true"/>
<property name="com.sun.security.enableCRLDP" value="true"/>

Configure CSA to Use the Online Certificate Status Protocol

To enable the Online Certificate Status Protocol (OCSP), do the following:

  1. Edit the CSA_HOME\jboss-as\standalone\configuration\
    standalone.xml
    file and enable revocation by adding the following line under <system‑properties>:

    <property name="com.sun.net.ssl.checkRevocation" value="true"/>

  2. Edit the CSA_JRE_HOME\lib\security\java.security file and uncomment the following line (where CSA_JRE_HOME is the directory in which the JRE that is used by CSA is installed):

    ocsp.enable=true