To revoke the certificate and add it to the CRL:
Create a directory for CRL:
mkdir /etc/<CRL_directory> Switch to the created directory:
cd /etc/<CRL_directory>Create the index file for CRL:
touch index.txt
Create a temporary CRL number file:
echo 00 > pulp_crl_number
Edit the file openssl.cnf present in the directory /etc/ssl/ (on SLES) or /etc/pki/tls/ (on RHEL).
NOTE:If the file path is not known, execute the command openssl version -a | grep OPENSSLDIR to find the directory containing openssl.cnf file.
database = /etc/<CRL_directory>/index.txt crlnumber = /etc/<CRL_directory>/pulp_crl_number
(Optional) You can create your own config file with the required configuration for the CRL.
Convert the certificate to be revoked into crt format:
openssl pkcs12 -in <certificate in p12 format> -clcerts -nokeys -out <certificate_name.crt>
Revoke the certificate:
openssl ca -revoke <certificate_name.crt> -keyfile <private_key> -cert <X.509 certificate>
Generate the CRL file for the revoked certificate:
openssl ca -gencrl -keyfile <private_key> -cert <X.509 certificate> -out /etc/ <CRL_directory>/crl.pem
Add the revoked certificate to the existing CRL file:
Run the following command:
cat <sentinel_installation_path>/etc/opt/ novell/sentinel/config/<Sentinel CRL File Name> /etc/<CRL_directory>/ crl.pem > temp.pem
Run the following command:
mv temp.pem <sentinel_installation_path>/etc/opt/ novell/sentinel/config/<Sentinel CRL File Name>
The <Sentinel CRL File Name> can be referred from the property sentinel.webserver.crlfile key, which is available in <sentinel_installation_path>/etc/opt/novell/sentinel/config/configuration.properties
(Conditional) If there are more than one certificates be revoked, repeat Step 6 to Step 9 for each of the certificates.
Restart the Sentinel server.