Instant Revocation
In a PKI environment there are situations when the CA has not yet revoked a certificate but the relying parties/CRL Monitoring applications intend not to trust a specific certificate issued by a CA or stop doing business with a specific client. This can be achieved by performing instant revocation for such certificate(s) within the CRL Monitor database while the certificate remains valid in CA's own database. This is a controlled feature and it is provided only based on business needs.
Click the Instant Revocation button within the CRL Monitor screen shows the following screen: (This button and feature is only available if the ADSS Server License allows it - some PKI's explicitly disallow such a feature to be offered or used. If the button is not seen then the license does not allow it).
The configuration items are as follows:
Items |
Description |
Trusted Authority/CA Name |
This is the Friendly Name of the trusted authority as registered in the Trust Manager module for the CA for which the instant revocation should be performed. |
Use Certificate Serial No. |
A certificate can be instantly revoked by directly providing the issued certificate serial number. This is needed when the ADSS Server user does not have the hold of the certificate itself. The hexadecimal value of the certificate serial number should be entered. |
Use Certificate |
Alternatively provide the certificate (.cer) file itself for the certificate to be instantly revoked. |
Reason Code |
Provide a standard revocation reason code from the available options. |
Hold Instruction Code |
Provide one of the available Hold Instruction Codes if the revocation reason is selected as certificateHold. |
Revocation Date |
Provide a date and time from which the certificate should be considered instantly revoked. |
Invalidity Date |
Provide a date and time form which the certificate should be considered invalid. |
If "Load CRL in memory for high speed revocation checking" check box is enabled in Trust Manager > CRL Setting against the relevant CA, then upon instantly revoking a certificate, ADSS Server will prompt to restart all Service instances from Server Manager so that the latest revocation information could be loaded into the cache. |
The 'Show Instantly Revoked Certificates' functionality is currently unavailable. |
See also
CRL Monitor Key Features
CRL Storage within ADSS Server
Proxy Settings and Digest Authentication
Service Manager
HA Configuration
Viewing CRL Details
CRL Monitoring
Instant Revocation
CRL Logs
Logs Archiving
Alerts
Advanced Settings