Support for certificate revocation lists, Local cas, 92 viewing the install ca certificate section – HP Secure Key Manager User Manual
Page 153: 71 install ca certificate section components

Figure 92 Viewing the Install CA Certificate section
The following table describes the components of the Install CA Certificate section.
Table 71 Install CA Certificate section components
Component
Description
Certificate Name
Enter the certificate name.
Certificate
Paste the contents of the certificate.
Install
Click Install to install the CA.
Support for Certificate Revocation Lists
Certificate Authorities regularly publish a list of certificates that have been revoked by that CA. Such a list
is called a certificate revocation list (CRL). The list of revoked certificates is distributed in X.509 CRL v2
format. Support for CRLs on the SKM allows you to obtain, query, and maintain CRLs published by CAs
supported on the SKM. The SKM uses CRLs to verify certificates in two ways.
•
Require Client Authentication – when enabled, the SKM only accepts connections from clients
that present a valid client certificate. As certificates are presented to the SKM, they are checked
against the CRL published by the CA who issued the certificate.
•
Web Administration User Authentication – when enabled, this option specifies that you cannot
log in to the Management Console without presenting a valid client certificate. As certificates
are presented to the SKM, they are checked against the CRL published by the CA who issued
the certificate.
You can configure the SKM to fetch the CRL at a regular interval. The CRL is transported to the SKM via
FTP, SCP or HTTP. The SKM can only be configured to retrieve complete CRLs, as opposed to partial,
delta, or indirect CRLs. You can also manually download updated CRLs to the SKM.
The SKM validates all CRLs that it downloads. For the SKM to validate a CRL, the CA that signed the
CRL must be in the list of Trusted CAs on the SKM. CRLs published by untrusted CAs are rejected by the
SKM. Once a CRL is installed on the SKM, it remains in effect on the device until the CRL is successfully
updated by a CRL from the same issuing CA. If a CRL has been signed with a key that does not match the
key in the CA certificate on the SKM, the validation of the CRL fails.
When a certificate on the SKM appears on a CRL, the event is logged in System Log. Traps for revoked
certificates are sent daily around 5:10 AM local time.
Local CAs
The CRL functionality allows you to revoke and renew certificates that are signed with local CAs.
Additionally, you can export a CRL issued by local CAs. CRLs exported from the SKM contain a list of
Secure Key Manager
153