Adding a certificate revocation list

The certificate authority (CA) that issues a digital certificate can revoke the certificate any time the certificate validity period ends before its actual expiration data. For example, a certificate is revoked if the integrity of the certificate is compromised. The CA publishes a Certificate Revocation List (CRL) that contains a list of revoked certificates. CRLs are made publicly available so that anyone can verify whether a certificate that was used to sign a message is valid. The CRL ensures the integrity of the signatures, which are based on the expected level of trust that is associated with the type of certificate. In AS4 Microservice, you can also add lists of revoked certificates that you and your partners use to authenticate certificates.

Before you begin

You also can import a CRL as a resource from another installation of AS4 Microservice. For more information, see Resource Commands.

About this task

In AS4 Microservice, the Certificate Revocation List feature manages the lists that are referenced by CA certificates.

Important: Large CRLs can cause performance issues. If you give a shorter lifespan to certificates, they must be renewed more frequently but the size of the CRL is not as large. Another way to control CRL size is to partition a base CRL. In this way, you can control the amount of data that is replicated and the size of the data object that partners download when they perform revocation checks on certificates. You partition base CRLs by renewing the CA key. This creates a partitioned CRL for all certificates that are issued after the key is renewed.

Procedure

  1. Log in to AS4 Microservice with the necessary access credentials.
  2. Select Security > Certificate Revocation List.
  3. In the collections page, click Add.
  4. In Distribution point, enter the URL for the certificate revocation list.
  5. Optional: In Publication interval, define the interval when this CRL is published. Configure the CRL to be valid for a long enough period to allow for the recovery of the CA if there is a hardware or software failure (hours, days, or weeks).
  6. Optional: In Tolerance period, set a reasonable overlap period to protect against CRL inaccessibility or replication failure, and select the unit of time (hours, days, or weeks).
  7. Click Save to save the digital certificate and return to the CA Certificates collection page.