Securing certificate revocation lists
The certificate authority (CA) that issues a digital certificate can revoke the certificate any time the certificate validity period ends before its actual expiration data. For example, a certificate is revoked if the integrity of the certificate is compromised. The CA publishes a Certificate Revocation List (CRL) that contains a list of revoked certificates. CRLs are made publicly available so that anyone can verify whether a certificate that was used to sign a message is valid. The CRL ensures the integrity of the signatures, which are based on the expected level of trust that is associated with the type of certificate. In AS4 Microservice, you can also add and remove lists of revoked certificates that you and your partners use to authenticate certificates.
A Certificate Revocation List (CRL) from a CA is a time-stamped list of certificates that are revoked (or are no longer trusted) by a certificate authority (CA). A CA is an independent and trusted third party that issues digital certificates to provide assurance that the public key of an entity truly belongs to that entity. On the CRL, the CA maintains a list of serial numbers of certificates that are revoked. The CRL also contains a statement that indicates why each certificate was revoked and the date that the revocation occurred. The list usually contains all certificates that were revoked within the lifetime of the CA.
Certificates that are expired are not the same as those certificates that are revoked. When the end validity date of a certificate is reached, the certificate is considered to be expired. The CRL is digitally signed to prevent tampering. The CRLs can become lengthy, so the CA usually has provisions for date- and time-stamping the list. Additionally, the CA issues delta lists, which detail the changes since the previous CRL was issued.
A certificate that is found in a CRL might not be expired, but it is no longer trusted by the certificate authority that issued the certificate. The CA might also add a certificate to the certificate revocation list if it believes that the client certificate is compromised.
In AS4 Microservice, you can specify the URL where the CRL is located, so partners can directly obtain the status of a certificate in real time. Otherwise, partners must download and cache CRLs published by the CA. One disadvantage of using an online CRL is that the CA must be available to the parties that rely on it during the certificate verification process.
In AS4 Microservice, the Certificate Revocation List feature manages the lists that are referenced by CA certificates. To ensure application reliability and mitigate failures that occur if the CRL is inaccessible or outdated, follow these guidelines:
- Configure the CRL to be valid for a long enough period (the Publication interval that you specify in the New Certificate Revocation List) to allow for the recovery of the CA if there is a hardware or software failure.
- Set a reasonable CRL overlap period (the Tolerance period that you specify in the New Certificate Revocation List) to protect against CRL publication or replication failures.
- Keep the private key of the CA and a copy of the CRL in a secure offline location. This offsite backup ensures that you can sign and publish a valid CRL manually if a catastrophic hardware failure occurs.
You must establish a regular publication schedule for certificate revocation data so that an accurate CRL is always available to partners. When you establish this schedule, you must balance the need for accurate, up-to-date data against the impact that frequent downloads of new CRLs can have on partners.
To prevent an unauthorized reinstatement by someone with unauthorized access to the private key, when a certificate is revoked, it cannot be reinstated. A key pair can be reinstated for if you issue a new certificate if the keys are found to be secure after the certificate is revoked. In this situation, the old certificate is still void, but the new certificate that uses the old key pairs is valid.