Local cas, Auto-update – HP Secure Key Manager User Manual

CRL v2 format. Support for CRLs on the SKM allows you to obtain, query, and maintain CRLs published
by CAs supported on the SKM. The SKM uses CRLs to verify certificates in two ways.

•

Require Client Authentication – when enabled, the SKM only accepts connections from clients that
present a valid client certificate. As certificates are presented to the SKM, they are checked against
the CRL published by the CA who issued the certificate.

•

Web Administration User Authentication – when enabled, this option specifies that you cannot
log in to the Management Console without presenting a valid client certificate. As certificates are
presented to the SKM, they are checked against the CRL published by the CA who issued the
certificate.

You can configure the SKM to fetch the CRL at a regular interval. The CRL is transported to the SKM
via FTP, SCP or HTTP. The SKM can only be configured to retrieve complete CRLs, as opposed to
partial, delta, or indirect CRLs. You can also manually download updated CRLs to the SKM.

The SKM validates all CRLs that it downloads. For the SKM to validate a CRL, the CA that signed the
CRL must be in the list of Trusted CAs on the SKM. CRLs published by untrusted CAs are rejected by
the SKM. Once a CRL is installed on the SKM, it remains in effect on the device until the CRL is
successfully updated by a CRL from the same issuing CA. If a CRL has been signed with a key that
does not match the key in the CA certificate on the SKM, the validation of the CRL fails.

When a certificate on the SKM appears on a CRL, the event is logged in System Log. Traps for revoked
certificates are sent daily around 5:10 AM local time.

Local CAs

The CRL functionality allows you to revoke and renew certificates that are signed with local CAs.
Additionally, you can export a CRL issued by local CAs. CRLs exported from the SKM contain a list
of certificates revoked by local CAs. The format of CRLs exported by the SKM is in PEM-encoded
X.509 format.

Auto-Update

Each CA promises to update its CRL at the day and time specified in the Next Update field for that
CA. When you enable the Auto–Update feature, at 5:00 AM every day the SKM inspects the Next
Update value for the CRL associated with each CA on the SKM. For CRLs whose Next Update time
is in the past, the SKM attempts to connect to the CRL distribution point (CDP) for the CA to download
the updated CRL. If the download was successful, the Next Update field for that CA is changed to
the new update time contained in the newly-downloaded CRL. If the Next Update value for that CRL
is in the future, the SKM waits until that specified time to attempt to connect to the CDP and download
the updated CRL. For example:

There is a CA named XYZ that has a CRL Next Update time of Oct 20 01:00:00 2002 (1:00 AM).
The administrator has enabled CRL auto-updates on the SKM. At 5:00 AM on Oct 20, the SKM checks
the Next Update times for all of the CAs. When it gets to CA XYZ, it will notice that the Next Update
time was in the past (4 hours ago), and it will attempt to download an updated CRL from the
appropriate CDP.

If the CRL download was successful, the Next Update field for that CA is changed to the new update
time contained in the downloaded CRL.

Should the CRL download fail, the SKM continues using the old CRL, and it tries again each day to
download the updated CRL at the normal 5:00 AM auto-update time.

The Auto-Update feature is a global setting. If you want to disable Auto-Update for a particular CA,
you can use the crl settings command to set the Next Update value to a time in the distant future.

Using the Management Console

168