Certificate revocation lists (CRLs)
CRLs holds a list of certificates that have been marked by Certificate Authority (CA) as no longer trusted for a variety of reasons, for example, the private key has been lost or compromised.
To validate certificates, IBM® MQ Advanced Message Security constructs a certificate chain that consists of the signer's certificate and the certificate authority's (CA's) certificate chain up to a trust anchor. A trust anchor is a trusted keystore file that contains a trusted certificate or a trusted root certificate that is used to assert the trust of a certificate. IBM MQ AMS verifies the certificate path using a PKIX validation algorithm. When the chain is created and verified, IBM MQ AMS completes the certificate validation which includes validating the issue and expiry date of each certificate in the chain against the current date, checking if the key usage extension is present in the End Entity certificate. If the extension is appended to the certificate, IBM MQ AMS verifies whether digitalSignature or nonRepudiation are also set. If they are not, the
MQRC_SECURITY_ERROR is reported and logged. Next, IBM MQ AMS downloads CRLs from files or from LDAP depending on what values were specified in the configuration file. Only CRLs that are encoded in DER format are supported by IBM MQ AMS. If no CRL related configuration is found in the keystore configuration file, IBM MQ AMS performs no CRL validity check. For each CA certificate, IBM MQ AMS queries LDAP for CRLs using Distinguished Names of a CA to find its CRL. The following attributes are included in the LDAP query:
certificateRevocationList,
certificateRevocationList;binary,
authorityRevocationList,
authorityRevocationList;binary
deltaRevocationList
deltaRevocationList;binary,
Note:
deltaRevocationList is supported only when it is specified as distribution points.