Support for certificate revocation lists, Local cas, 92 viewing the install ca certificate section – HP Secure Key Manager User Manual

Figure 92 Viewing the Install CA Certificate section

The following table describes the components of the Install CA Certificate section.

Table 71 Install CA Certificate section components

Component

Description

Certificate Name

Enter the certificate name.

Certificate

Paste the contents of the certificate.

Install

Click Install to install the CA.

Support for Certificate Revocation Lists

Certificate Authorities regularly publish a list of certificates that have been revoked by that CA. Such a list

is called a certificate revocation list (CRL). The list of revoked certificates is distributed in X.509 CRL v2

format. Support for CRLs on the SKM allows you to obtain, query, and maintain CRLs published by CAs

supported on the SKM. The SKM uses CRLs to verify certificates in two ways.

•

Require Client Authentication – when enabled, the SKM only accepts connections from clients

that present a valid client certificate. As certificates are presented to the SKM, they are checked

against the CRL published by the CA who issued the certificate.

•

Web Administration User Authentication – when enabled, this option specifies that you cannot

log in to the Management Console without presenting a valid client certificate. As certificates

are presented to the SKM, they are checked against the CRL published by the CA who issued

the certificate.

You can configure the SKM to fetch the CRL at a regular interval. The CRL is transported to the SKM via

FTP, SCP or HTTP. The SKM can only be configured to retrieve complete CRLs, as opposed to partial,

delta, or indirect CRLs. You can also manually download updated CRLs to the SKM.
The SKM validates all CRLs that it downloads. For the SKM to validate a CRL, the CA that signed the

CRL must be in the list of Trusted CAs on the SKM. CRLs published by untrusted CAs are rejected by the

SKM. Once a CRL is installed on the SKM, it remains in effect on the device until the CRL is successfully

updated by a CRL from the same issuing CA. If a CRL has been signed with a key that does not match the

key in the CA certificate on the SKM, the validation of the CRL fails.
When a certificate on the SKM appears on a CRL, the event is logged in System Log. Traps for revoked

certificates are sent daily around 5:10 AM local time.

Local CAs

The CRL functionality allows you to revoke and renew certificates that are signed with local CAs.

Additionally, you can export a CRL issued by local CAs. CRLs exported from the SKM contain a list of

Secure Key Manager

153