Revoking and un-revoking certificates

There are many reasons why it might become necessary to revoke a User certificate after it has been issued. Because the user certificate resides on the host machine where the user accesses the client, the Certificate Manager cannot revoke it by eliminating it. Instead, the Certificate Manager relies on a CRL, or Certificate Revocation List.

If the user ID is in the list, then that user is denied access.

The file that contains the CRL is created the first time you revoke a user certificate. This file is called customer-revoke.crl. customer is the unique customer name that is assigned to your organization by Infor. After the file is created, it is updated whenever you revoke a certificate.

Note: When a user certificate is revoked, the related information is deleted from the security server.

The Certificate Manager creates or updates the CRL file in the \server\certs\revoked subdirectory of the directory where the system is installed. To give you the greatest possible control over the CRL, it cannot be used for validation when it is in this subdirectory. This must first be copied one level up, to the \server\certs subdirectory. When you are satisfied with the list of revoked certificates, copy customer-revoke.crl to use it for access control.

Note: If the \server\certs directory does not contain customer-revoke.crl, then CRL verification does not happen. All users who have been issued certificates are permitted to access the system.

Whenever a user attempts to log in to the host server, the CRL is checked to see whether it contains that user ID.

If you use multiple host servers, then you must copy customer-revoke.crl to every computer that runs a host server. Ensure that it is in the \server\certs directory.

Similar to certificates, the CRL has an expiration date. If the CRL expires, then the Certificate Manager has no way to determine which user certificates have been revoked. It automatically denies access to all users except the security administrator.

To help prevent the CRL from expiring accidentally, the Certificate Manager requires you to set an expiration date for the whole CRL. You must do this each time you revoke a user certificate. This reminds you to set the expiration date far enough into the future.