Chapter 3. Configuring certificate revocation checks in Elytron
To ensure that certificates that are revoked by the issuing Certificate Authority (CA) before their expiration date are not trusted by Elytron or the Elytron client, configure certificate revocation checks. You can use either Certificate Revocation Lists (CRL) or an Online Certificate Status Protocol (OCSP) responder for certificate revocation checking. Use OCSP if you do not want to download the entire CRL.
3.1. Configuring certificate revocation checks using certificate revocation lists
Configure certificate revocation checks using Certificate Revocation Lists (CRL) in the Elytron trust manager used for enabling two-way SSL/TLS, so that the certificates that are revoked by the issuing Certificate Authority (CA) before their expiration date are not trusted by Elytron.
Prerequisites
- JBoss EAP is running.
A trust manager is configured.
For more information, see Configuring a trust store and a trust manager for client certificates.
Procedure
Configure the trust manager to use the CRL using one of the following steps:
Configure the trust manager to use CRLs obtained from distribution points referenced in your certificates.
Syntax
/subsystem=elytron/trust-manager=<trust_manager_name>:write-attribute(name=certificate-revocation-lists,value=[])Example
/subsystem=elytron/trust-manager=exampleTLSTrustManager:write-attribute(name=certificate-revocation-lists,value=[])
Override the CRL obtained from distribution points referenced in your certificates.
Syntax
/subsystem=elytron/trust-manager=<trust_manager_name>:write-attribute(name=certificate-revocation-lists,value=[{path="<CRL-file-1>"},{path="<CRL-file-2>"},...,{path="<CRL-file-N>"}])
Example
/subsystem=elytron/trust-manager=exampleTLSTrustManager:write-attribute(name=certificate-revocation-lists,value=[{path="intermediate.crl.pem"}])
Configure the trust manager to use CRL for certificate revocation checking.
If an OCSP responder is also configured for certificate revocation checks, add attribute
ocsp.prefer-crlswith the valuetruein the trust manager to use CRL for certificate revocation checking:Syntax
/subsystem=elytron/trust-manager=<trust_manager_name>:write-attribute(name=ocsp.prefer-crls,value="true")Example
/subsystem=elytron/trust-manager=exampleTLSTrustManager:write-attribute(name=ocsp.prefer-crls,value="true")
- If no OCSP responder is configured for certificate revocation checks, the configuration is complete.
Additional resources
3.2. Configuring certificate revocation checks using OCSP in Elytron
Configure the trust manager used for enabling two-way SSL/TLS to use an Online Certificate Status Protocol (OCSP) responder for certificate revocation checking. OCSP is defined in RFC6960.
When both the OCSP responder and the CRL are configured for certificate revocation checks, the OCSP responder is invoked by default.
Prerequisites
- JBoss EAP is running.
A trust manager is configured.
For more information, see Configuring a trust store and a trust manager for client certificates.
Procedure
Configure the trust manager for certification revocation using OCSP using either of the following steps:
Configure the trust manager to use the OCSP responder defined in the certificate for certificate revocation checking.
Syntax
/subsystem=elytron/trust-manager=<trust_manager_name>:write-attribute(name=ocsp,value={})Example
/subsystem=elytron/trust-manager=exampleTLSTrustManager:write-attribute(name=ocsp,value={})Override the OCSP responder defined in the certificate.
Syntax
/subsystem=elytron/trust-manager=<trust_manager_name>:write-attribute(name=ocsp.responder,value="<ocsp_responeder_url>")
Example
/subsystem=elytron/trust-manager=exampleTLSTrustManager:write-attribute(name=ocsp.responder,value="http://example.com/ocsp-responder")
Additional resources
3.3. Configuring certificate revocation checks using CRL in the Elytron client
Configure certificate revocation checks using Certificate Revocation Lists (CRL) in the Elytron client, so that the certificates that are revoked by the issuing Certificate Authority (CA) before their expiration date are not trusted by the client.
Prerequisites
-
You have created the
wildfly-config.xmlfile for the Elytron client.
Procedure
Add the following content in the
<ssl-context>element in thewildfly-config.xmlfile:Syntax
<certificate-revocation-lists> <certificate-revocation-list path="${path_to_crl}"/> </certificate-revocation-lists>Example
<certificate-revocation-lists> <certificate-revocation-list path="/server/ca/crl/revoked.pem"/> </certificate-revocation-lists>
Additional resources
3.4. Configuring certificate revocation checks using OCSP in the Elytron client
Configure certificate revocation checks using Online Certificate Status Protocol (OCSP) in the Elytron client, so that the certificates that are revoked by the issuing Certificate Authority (CA) before their expiration date are not trusted by the client. When you use an OCSP responder, you do not have to download the entire CRL.
Prerequisites
-
You have created the
wildfly-config.xmlfile for the Elytron client.
Procedure
Add the following content in the
<ssl-context>element in wildfly-config.xml:Syntax
<ocsp responder="${ocsp_responder_uri}" responder-certificate=”${alias_of_ocsp_responder_certificate}” responder-keystore=”${keystore_for_ocsp_responder_certificate}” />
Example
<ocsp />
Additional resources
