Working with revoked certificates
Digital certificates can be revoked by Certificate Authorities. You can check the revocation status of certificates using OCSP, or CRLs on LDAP servers, depending on platform.
- The owner has moved to a different organization
- The private key is no longer secret
CAs publish revoked personal certificates in a Certificate Revocation List (CRL). CA certificates that have been revoked are published in an Authority Revocation List (ARL).
On AIX®, Linux®, and Windows platforms, IBM® MQ SSL support checks for revoked certificates using OCSP (Online Certificate Status Protocol) or using CRLs and ARLs on LDAP (Lightweight Directory Access Protocol) servers. OCSP is the preferred method.
IBM MQ classes for Java and IBM MQ classes for JMS cannot use the OCSP information in a client channel definition table file. However, you can configure OCSP as described in Using Online Certificate Protocol.
On IBM i, IBM MQ SSL support checks for revoked certificates using CRLs and ARLs on LDAP servers only.
On z/OS®, IBM MQ SSL support checks for revoked certificates using CRLs and ARLs on LDAP servers only.
For more information about Certificate Authorities, see Digital certificates.