Certificate revocation

Certificate revocation checking is one phase of certificate validation that is done as part of session negotiation. The certificate chain is validated to ensure that the certificate is not revoked.

The following steps apply for certificate revocation checking:

Check revocation status with a Certificate Revocation List (CRL) location.
1. When a CRL location is configured through the Digital Certificate Manager (DCM), a CRL database (LDAP) server is queried for CRLs containing the revocation status of the certificate.
  - If the certificate is revoked, the certificate revocation phase of certificate validation is complete and the session negotiation fails.
  - Otherwise, continue with certificate revocation processing.
  Note: CRL locations are configured individually for each certificate authority (CA) in a local certificate store.
Check revocation status with Online Certificate Status Protocol (OCSP).
When both URL and AIA checking are enabled, the order in which the responders are queried is determined by the Global Security Kit (GSKit) API attribute, GSK_OCSP_CHECK_AIA_FIRST. The default is to check the URL responder address first.
1. If a client session enables certificate status request processing, then the client uses a stapled OCSP response received from the server to determine revocation status first. This step only applies to client session negotiation using TLS protocols TLSv1.3 or TLSv1.2.
  - If the client requires certificate status request processing and the server's certificate includes the feature extension defined in RFC 7633 indicating that the server must staple, the client fails the handshake when a stapled OCSP response is not received from the server. This completes the certificate revocation phase of certificate validation and the session negotiation fails.
  - If the certificate is revoked in the stapled OCSP response, the certificate revocation phase of certificate validation is complete and the session negotiation fails.
  - If the certificate is good in the stapled OCSP response, the certificate revocation phase of certificate validation is complete and certificate validation continues.
  - If the certificate revocation status is undetermined from the stapled OCSP response, the certificate revocation phase of certificate validation is complete and certificate validation continues.
2. When an OCSP URL responder address is configured, query the responder.
  - If the certificate is revoked, the certificate revocation phase of certificate validation is complete and the session negotiation fails.
  - If the certificate is good, the certificate revocation phase of certificate validation is complete and certificate validation continues.
  - If the certificate revocation status is undetermined, continue with certificate revocation processing.
3. When AIA checking is enabled and the certificate has a PKIK_AD_OCSP access method with a URI that indicates the HTTP location, query the responder.
  - If the certificate is revoked, the certificate revocation phase of certificate validation is complete and the session negotiation fails.
  - If the certificate is good, the certificate revocation phase of certificate validation is complete and certificate validation continues.
  - If the certificate revocation status is undetermined, the certificate revocation phase of certificate validation is complete and certificate validation continues.
Note: If revocation status is undetermined, GSKit stores information about the certificate for which revocation status is undetermined and continues as if the status is not revoked. The application can retrieve undetermined certificate status information with gsk_attribute_get_buffer() and attribute GSK_UNKNOWNREVOCATIONSTATUS_SUBJECT and make a policy decision on whether to continue or end the connection.

Note: An application definition that is configured in DCM can override CRL and OCSP revocation checking that is configured by an application that uses the application definition.