Match Certificate to CRL

Specifies whether to compare the user certificate against the Certificate Revocation List (CRL) in the LDAP Server. The CRL is located by one of the attribute names in the issuer's SubjectDN. If the certificate is on the CRL, the user is denied access; if not, the user is allowed to proceed. This attribute is, by default, not enabled.

Certificates should be revoked when the owner of the certificate has changed status and no longer has the right to use the certificate or when the private key of a certificate owner has been compromised.

When the Certificate authentication module possesses a client certificate for authentication, it checks the configured option first. If CRL validation is enabled, it accesses the CRL from the local Directory Server. If the CRL is valid, it validates the client certificate with the current CRL from the local Directory Server.

If the CRL is not valid or needs to be updated, it retrieves CRLDP information from the client certificate and gets a new CRL from the CRLDP and replaces the old CRL with a new one. If the CRL is not valid or needs to be updated but the client certificate does not have CRLDP, it retrieves IssuingDP information from the current CRL and gets the new CRL from the IssuingDP and replaces the old CRL with a new one. It then validates the client certificate with this new CRL.