A CRL is a signed data structure that contains a time-stamped list that identifies revoked certificates. Revoked certificates are no longer trusted for authentication. Typically, CRLs block access when a user's employment status or assignment changes, or when a user's certificate or the corresponding private key is compromised.
Client certificates and CRLs must meet these conditions:
If PKI certificates are used for user authentication, you can configure the database server to support CRLs. When support for CRLs is enabled, the server checks client certificates when a user attempts to login to verify that the certificate is not revoked.
Administrators use the dbadmin command to set CRL options for the server. The server sends the CRL settings to the server log. If diagnostic information about the CRL is available, the server logs this information when a certificate is validated.
You can enable the Rational DOORS client to perform a CRL check of the server certificate when you open the client. Specify CRL options with the doors.exe command at the command line or set keys and values in the registry. Users who have permission to view database properties in the client can examine the CRL options that are used by the server.
The user certificate was not validated.
Some possible reasons for the error:
1. the server does not trust the whole certificate chain
2. the user certificate has been revoked
3. the user certificate CRL is not available
DOORS will now exit.
The
following message is posted in the server log:
received invalid socket: boost::exception_detail::clone_impl<class SecureCommsException>: GSKit SocInit failed: GSK_ERROR_BAD_CERT -- unable to validate the client certificate
- the certificate chain might not be trusted
- the certificate might be revoked
- the certificate CRL might not be available
Unable to validate the server certificate. The server certificate has been revoked.
DOORS will now exit.
The server uses the most recent available option settings to validate a certificate. If you change the CRL options, you must restart the server to apply the changes.