When a certificate issuing authority (a CA) determines that a certificate has been compromised, it revokes the certificate. A record of revoked certificates is kept on a Certificate Revocation List or CRL. Lumeta checks the validity of SSL certificates by checking this CRL.
Lumeta releases up to and including version 3.3.1 use CRL to check for certificate revocations. After version 3.3.1, an OCSP method of checking is additionally supported. OCSP (Online Certificate Status Protocol) is one of two common schemes for maintaining the security of a server and other network resources.
To simplify the experience of customers who use CRL retrieval, certificate revocation lists (CRLs) can be installed or removed from Lumeta. Additional functionality that will enable users to download CRLs is in development at Lumeta 3.3.2 and expected to be made available in a near-term release.
Install or Remove CRL via GUI
To install or remove the CRL from the Lumeta graphical user interface, follow this procedure:
- Browse to Settings > Lumeta Systems > Manage PKI
- In the Certificate Type field, select Certificate Revocation List.
- Select Install or Remove.
- Select the CRL file to install or remove.
- Click Submit.
CRL Commands via CLI
certificate crl remove
certificate crl install user@host:/path/to/file.crl
CRL Commands via API
GET api/rest/license/crl to download the CRL
POST api/rest/license/crl to add a PEM formatted CRL to the CRL file on the server
DELETE api/rest/license/crl to remove the CRL file from the server