Using certificate revocation lists (CRLs)
You can configure CICS® to use certificate revocation lists (CRLs) to check the validity of client certificates being used in SSL negotiations.
To use certificate revocation lists, you must install and configure an LDAP server. See z/OS Cryptographic Services PKI Services Guide and Reference. You also need to authorize CICS to access the LDAP server, as described in Configuring LDAP for CICS use.
A certificate revocation list details the revoked certificates from a certificate authority. Certificate authorities keep these lists in CRL repositories that are available on the World Wide Web and can be downloaded and stored in an LDAP server. To populate the LDAP server and update certificate revocation lists, use the CICS-supplied transaction CCRL.