Managing revoked certificates

Edit online

The CA creates a Certificate Revocation List (CRL) and publishes it at specified intervals and location. The URL of the location is available in the CRL distribution point attribute of the certificate. In Sterling B2B Integrator, any automatically exchanged certificate must contain information about CRL distribution point.

One of the security enhancements in Odette FTP version 2.0 is the support for Certificate Revocation List (CRL). The CA that issued the certificate can revoke the certificate for some of the following reasons:
  • Certificate's private key is compromised.
  • Certificate is superseded.
  • Certificate is put on hold.
  • Certificate's privilege is withdrawn.
You can access the CRL distribution point and retrieve the CRL by scheduling the oftpCRLCheck system BP. The BP does the following tasks:
  1. Reads the CRL URL value from the CERTIFICATE_MAPPING table.
  2. Accesses the CRL URL and gets the CRL.
  3. Checks if any certificates that are currently being used are revoked.
Accordingly, if any certificate is revoked, then the business process updates the status of the revoked certificate in all certificate-related tables. The admin is notified about the revoked certificate through an email.

During the automatic certificate exchange, the certificate that is exchanged is checked for revocation. If the certificate that is received is revoked, then it is not accepted. If the certificate that is sent is revoked, then it is not queued for sending.

If it is determined that a certificate that is used is revoked, you must procure a new certificate from the CA and send it to the partners to replace the revoked certificate. The new certificate might or might not have the same CLID information. If the CLID information is different from the existing one, you must send the new CLID information to the trading partner, before you send the new certificate. When you are sending the new certificate to the partner, set the value of the OFTPVirtualFilename parameter to ODETTE_CERTIFICATE_REPLACE in the related BP. This setting indicates that the new certificate is a replacement certificate.