24.9.2 When is a Certificate Checked Against a CRL?

A certificate revocation list, or CRL, is a list of revoked certificates maintained by the CA who issues the key pairs and certificates. When CRL checking is enabled, it causes the system to check the CRL whenever a certificate request has been made to see whether or not that certificate has been revoked.

When crlenable is set to 1 in the smime.conf file, a CRL test is performed after an unexpired key is found. The public key’s certificate is checked against a CRL. There can only be one CRL for each CA, however the same CRL can be located in different places.

Checking a certificate against a CRL is done by the Messaging Server after the S/MIME applet sends it a request to do so. A public key certificate is used to validate a public key. Because a private key is kept secret, only used by the person who owns it, a private key cannot be checked directly against a CRL. To determine if a private key is good, the public key certificate of the key pair is used. When the public key’s certificate passes the CRL test, the associated private key passes the test too.

Revocation of a certificate can happen for a variety of reasons, such as its owner has left your organization or lost the smart card.

There are three situations for checking a certificate against a CRL:

• When an outgoing message is signed

  The S/MIME applet always does this check unless you set sendsigncert to 0 or crlenable to 0.

• When an incoming signed message is read

  The S/MIME applet always does this check unless you set readsigncert to 0 or crlenable to 0.

• When an outgoing message is encrypted

  The S/MIME applet always does this check unless you set sendencryptcert to 0 or crlenable to 0.