本文介绍了证书撤销列表(CRL)的基本概念及其工作原理。CRL是由认证机构发布的已撤销但仍在有效期内的证书列表,用于验证证书的有效性。当证书所有者的私钥丢失或离开公司等情况发生时,证书会被撤销并记录在CRL中。资源访问者可通过检查CRL来确定证书是否被撤销。
Certificate Revocation List
The certificate revocation list (CRL) is a signed list that is published and maintained by each certification authority (CA) that lists all of its revoked certificates that are still within their validity dates. When a CA revokes a certificate, the CA administrator (CAA) prepares a new CRL and posts it to the directory server. The CRL has additional fields, including the reason for revocation and the date and time of the next update. When a consumer requests access to a resource, the resource can allow or deny access based on the CRL entry for the issuer of the certificate of that particular consumer.
Figure 1 - An example of a CRL being consumed by a certificate revocation service.
Figure 1 illustrates a CRL checking process that checks the serial number of a certificate against the certificate issuer’s CRL. If the certificate’s serial appears on the CRL, it means it is revoked. For example, certificates may be revoked if the owner’s private key has been lost, has left the company or agency, or their name changes. CRLs document the historical revocation status of certificates so that, for instance, a dated signature may be presumed to be valid if the signature date was within the validity period of the certificate, and the current CRL of the issuing CA at that date did not show the certificate to be revoked.
Related Patterns:
- Cloud Authentication Gateway
- Cloud Authentication Gateway
- Federated Cloud Authentication
扫一扫
3810
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
