Certificate revocation support
Applications requiring validation of the
partner's certificate can optionally check to see if the certificate
has been revoked. Certificate revocation checking can be done using
a certificate revocation list (CRL) obtained from a LDAP or HTTP server
or by using the certificate revocation status obtained from an OCSP responder. You can configure any combination of certificate
revocation by using the following AT-TLS policy statements:
- TTLSGskHttpCdpParms
- TTLSGskLdapParms
- TTLSGskOcspParms
Guideline: Connections
that are used by System SSL to contact the CRL service should not
fall under an enabled AT-TLS policy because these connections can
be made before AT-TLS policy is installed.