Instant Revocation
In a PKI environment there are situations when the CA has not yet revoked a certificate but the relying parties/CRL Monitoring applications intend not to trust a specific certificate issued by a CA or stop doing business with a specific client. This can be achieved by performing instant revocation for such certificate(s) within the CRL Monitor database while the certificate remains valid in CA's own database. This is a controlled feature and it is provided only based on business needs.
Click the Instant Revocation button within the CRL Monitor screen shows the following screen: (This button and feature is only available if the ADSS Server License allows it - some PKI's explicitly disallow such a feature to be offered or used. If the button is not seen then the license does not allow it).
The configuration items are as follows:
Items |
Description |
Trusted Authority/CA Name |
This is the Friendly Name of the trusted authority as registered in the Trust Manager module for the CA for which the instant revocation should be performed. Note: Only External CAs certificates and the ADSS Server default root certificates will be shown in Trusted Authority/CA Name drop-down list. |
Use Certificate Serial No. |
A certificate can be instantly revoked by directly providing the issued certificate serial number. This is needed when the ADSS Server operator does not have the hold of the certificate itself. The hexadecimal value of the certificate serial number should be entered. |
Use Certificate |
Alternatively provide the certificate (.cer) file itself for the certificate to be instantly revoked. |
Reason Code |
Provide a standard revocation reason code from the available options. |
Hold Instruction Code |
Provide one of the available Hold Instruction Codes if the revocation reason is selected as certificateHold. |
Revocation Date |
Provide a date and time from which the certificate should be considered instantly revoked. |
Invalidity Date |
Provide a date and time form which the certificate should be considered invalid. |
If "Load CRL in memory for high speed revocation checking" check box is enabled in Trust Manager > CRL Setting against the relevant CA, then upon instantly revoking a certificate, ADSS Server will prompt to restart all Service instances from Server Manager so that the latest revocation information could be loaded into the cache. |
Selecting a CA and clicking on the Show Instantly Revoked Certificates button shows the following screen:
The total number of instantly revoked certificate entries and other key details about the CRL are shown at the top of the screen.
The following table describes the rest of the displayed items:
Items |
Description |
|< < > >| |
These buttons are for navigating the different pages. Note the number of records shown per page is configurable from within Global Settings (since it impacts all grids within the product). |
Clear Search |
After a Search the window will only show the filtered records; this button provides a view of the full set of records. |
Search |
This opens a new window where you can enter the search criteria based on each column of the grid (see below for further details). |
Serial Number {hex} |
This is the instantly revoked certificate’s serial number in hexadecimal format. |
Revoked at |
This is the date and time when the certificate was instantly revoked by the operator. |
Invalidity Date |
This is the date and time when the certificate actually became invalid (if present it will be equal to or earlier than the revoked at time). |
Revocation Reason |
This is the reason why the certificate was revoked as identified by the CA (may be empty). |
Hold Instruction Code |
This will contain any instruction codes in case the certificate is on hold (i.e. suspended). It will identify how the certificate should be treated whilst it is in this state. For further details on CRL hold instruction codes see PKIX RFC 5280. |
Reinstate |
Use this button to cancel the instant revocation of a certificate and activate it again. |
CRL Number |
This shows the current CRL number for the CA (in decimal format). In case the CRL did not contain the CRL number extension (e.g. X.509 v1 CRL) then this column will show the system-assigned number for the CRL. |
The records in the list of instantly revoked certificates for a particular CA can be sorted in either Ascending or Descending order by selecting a table column from the drop down list.
Clicking on the Search button on above page shows following screen:
As shown above a search for instantly revoked certificates inside a CRL can be made by:
- Identifying the certificate serial number.
- Identifying the certificate CRL number.
- Revoked at date range (i.e. all certificates revoked within a particular date range)
- Invalidity date range (i.e. all certificates that became invalid within a particular date range).
- Revocation Reason (i.e. all certificate revoked for a particular reason)
If "_" character is used in the search then it will act as wildcard. |
See also
CRL Monitor Key Features
CRL Storage within ADSS Server
Proxy Settings and Digest Authentication
Using the Service Manager
High Availability for CRL Monitor
Viewing CRL Details
CRL Monitoring
CRL Logs
Logs Archiving
Alerts
Management Reporting