Importing a Certificate Revocation List into MarkLogic Server
A Certificate Revocation List (CRL) is a list of certificate serial numbers that have been revoked by a certificate authority. The CRL is signed by the certificate authority to verify its accuracy. The CRL contains the revocation date of each certificate, along with the date the CRL was published and the date it will next be published, which is useful in determining whether a newer CRL should be fetched.
You can use pki:insert-certificate-revocation-list()
to import a CRL into the Security database. certificate authorities typically allow the CRL to be downloaded via HTTP. The document URL in the database is derived from the URL passed into the function, so Inserting a newer CRL retrieved from the same URL will replace the previous one in the database.
For example, the following script imports a PEM- or DER-encoded CRL from Verisign into the Security database:
xquery version "1.0-ml"; import module namespace pki = "http://marklogic.com/xdmp/pki" at "/MarkLogic/pki.xqy"; let $URI := "http://crl.verisign.com/pca3.crl" return pki:insert-certificate-revocation-list( $URI, xdmp:document-get($URI)/binary() )
Note
If the next publication date of the CRL is earlier than the current time, you will receive the following message in the error log: loadCertificateRevocationLists: Most recent CRL for issuer=<issuer_name> is expired
.