Certificate Authority

Working with the CRL

Using the Certificate Revocation List (CRL)

The CRL identifies those certificates that the UW CA has determined are no longer valid and has revoked. Use of a CRL is not necessary, but does enhance the security of your client or service.

Specific use depends on your application. PEM format is convenient because you can copy the text from your browser and paste it into an application or file. The CRL in DER format contains unprintable characters and does not lend itself to the copy and paste method. Many applications can, however, work more easily with the DER format.

In addition, certificates issued by the CA contain CRL distribution point information. Someday soon software products will automatically make use of that information - thereby obviating the manual distribution method.

Browsers

• You can click on the DER format link and load the CRL into most browsers.
• Be advised however that the CRL will have to be reloaded when it expires, or else your browser will not accept our certificates.

Apache web servers

• A Web server does not need the CRL unless it will be authenticating clients (e.g. SOAP enabled programs) who themselves use our CA's certificates.
• Each brand of web server has specific configuration instructions to indicate CRL information. For Apache with mod_ssl some applicable directives are
  • SSLCARevocationPath
  • SSLCARevocationFile

• See the mod_ssl documentation.

Programs unsing the OpenSSL library

• OpenSSL does not automatically check for certificate revocation. You have to do that by hand in the verifier callback.
• We at present have no example.
• You could reference the mod_ssl example.

MS Windows applications

• Windows applications will find the DER format of the CRL the most convenient.
• Click on the DER format link to allow your system's certificate manager to install the list.