Signiant Support

Certificate revocation lists Print


Question

What is a Certificate revocation list (CRL) and how is it used?

Answer

A CRL is a pem encoded list of certificates that have been manually revoked by an Data Transfer Manager administrator. It is used to prevent data transfers from occurring between agents when one of the agents has had it's certificate revoked.

They agents check this list once a day although they can be manually updated by running the dds_admin command 'reload crl'.

Agents are configured to find the CRL at install time via the certificateAuthorityUrl line in the ddspkg.inf file.  The CRL address can be updated using the "set crlurl URL_FOR_CRL" command when running dds_admin, where URL_FOR_CRL is the location of the URL, preferably via https.

You can decode the CRL by using the openssl command.
ex. openssl crl -text -noout -in Signiant_crl.pem