https://www.techtarget.com/searchsecurity/definition/Certificate-Revocation-List#:~:text=A%20certificate%20revocation%20list%20(CRL)%20is%20a%20list%20of%20digital,actual%20or%20assigned%20expiration%20date.
- A user (client) submits their digital certificate through the access point.
- The access point sends the certificate to the authentication server for authentication.
- The server checks to see if the certificate is expired.
- If the certificate is valid (i.e., not expired), the server checks the directory containing the details of approved users.
- If the user is found in the directory, the server next checks the CRL to confirm if the certificate is revoked (identified by the certificate serial number).
- If the certificate is not revoked, i.e., the serial number is not in the CRL, the user is allowed to access the network.
If CA has CRL, it is contained in cert:
CRL Distribution Point
Distribution Point Name:
Full Name:
URL=xxxxxxxxxxmyca.crl.com/checkme
if this end point is not accessible, 403 will be returned :
https://serverfault.com/questions/450676/how-often-is-crl-refreshed-and-how-to-force-it-to-be
If the CRL cannot be reached, IIS returns a 403.13 by default.
Python, django offer to host crl for ur own self signed ca:
https://django-ca.readthedocs.io/en/latest/crl.html
No comments:
Post a Comment