Revocation examples

The following examples depict some typical environments that can be configured in System SSL and indicate how the revocation sources are checked for revocation information.

Example 1

Certificate validation uses revocation information from either a dedicated OCSP responder or OCSP responders specified in the certificate's AIA extension. The dedicated OCSP responder is attempted first and if not contactable, the OCSP responders in the AIA extension are used. If none of the specified OCSP responders can be contacted, certificate validation fails. The dedicated OCSP URL is 127.0.0.1
   GSK_OCSP_URL=http://127.0.0.1
   GSK_OCSP_ENABLE=ON
   GSK_REVOCATION_SECURITY_LEVEL=MEDIUM

Example 2

Certificate validation uses revocation information provided through the AIA and CDP extensions within the certificate. The AIA contains any OCSP responders to be used and the CDP contains any HTTP servers to be used. The OCSP responders within the AIA extension are checked first. If the OCSP responders cannot be contacted, the HTTP servers within the CDP extension are used. If there are no OCSP responders and HTTP servers or none of them can be contacted, the certificate is considered not revoked.
   GSK_OCSP_ENABLE=ON
   GSK_HTTP_CDP_ENABLE=ON
   GSK_AIA_CDP_PRIORITY=ON
   GSK_REVOCATION_SECURITY_LEVEL=LOW

Example 3

Certificate validation uses revocation information provided through the dedicated OCSP responder and the AIA and CDP extensions within the certificate. The revocation providers are checked in the following order:
  1. HTTP servers within the CDP extensions.
  2. OCSP responders in the AIA extensions.
  3. Dedicated OCSP responder.
If none of the OCSP responders or HTTP servers can be contacted, certificate validation fails.
   GSK_OCSP_URL=http://127.0.0.1
   GSK_OCSP_ENABLE=ON
   GSK_OCSP_URL_PRIORITY=OFF
   GSK_HTTP_CDP_ENABLE=ON
   GSK_AIA_CDP_PRIORITY=OFF
   GSK_REVOCATION_SECURITY_LEVEL=MEDIUM

Example 4

Certificate validation uses revocation information provided by the certificate's CDP extension and a LDAP server. The CDP extension is checked first and if the HTTP server cannot be contacted, the LDAP server is used. If the LDAP server is used, a CRL must be available. If no revocation information is retrieved, the certificate is considered revoked. 
   GSK_HTTP_CDP_ENABLE=ON
   GSK_LDAP_SERVER=127.0.0.1
   GSK_LDAP_USER=cn=admin
   GSK_LDAP_PASSWORD=secret
   GSK_CRL_SECURITY_LEVEL=HIGH
   GSK_REVOCATION_SECURITY_LEVEL=LOW
Note: GSK_REVOCATION_SECURITY_LEVEL controls the processing characteristics of the CDP extension. LOW allows processing to continue to the LDAP server. GSK_CRL_SECURITY_LEVEL controls the processing characteristics of the LDAP server.