X.509 certificates for SSL/TLS are issued with a limited lifespan. There are circumstances where certificates must be invalidated/revoked before their expiration date. Reasons for certificate revocation include:

• The certificate's private key has been compromised
• The affiliation of the certificate to an entity has changed
• The certificate has been superseded by another certificate
• The operation that the certificate has ceased (business closed, service terminated, server decommissioned, etc.)
• The subject of the certificate has had its privileges withdrawn

Certificates may also be revoked for unspecified reasons.

When a certificate is revoked, information about the certificate is added to the CA's CRL. Commercial CAs like VeriSign, DigiCert and Let's Encrypt publish new CRLs at regular intervals, often every 24 hours (check with your CA for it's publication schedule and instructions for obtaining it).  Updating a CRL file in OpenLDAP is not an automated process (but can be). It is up to the LDAP server administrator to obtain and apply new CRLs.

When CRLs are enforced, any LDAP client trying to connect with the LDAP server using SSL/TLS will have the certificate checked against the CRL. If the certificate is revoked, the client connection is refused.

To work with these lists and deny connections using revoked certificates, slapd requires additional TLS configuration.

CRL Settings for slapd

Note: These settings are SSL/TLS implementation-specific (OpenSSL or GnuTLS). Symas OpenLDAP is built with OpenSSL so any GnuTLS related settings are ignored.

If slapd is using static configuration (slapd.conf), all TLS* settings must be located before any backend definitions (config, mdb, etc.) are declared. If slapd is using dynamic configuration (cn=config), the olcTLS* settings must be located in the root cn=config entry.

TLSCACertificatePath/olcTLSCACertificatePath <path>

Specifies the path of a directory that contains Certificate Authority certificates and Certificate Revocation Lists in separate individual files.

TLSCRLCheck/olcTLSCRLCheck <level>

Specifies  if  the  Certificate  Revocation  List (CRL) of the CA should be used to verify if the client certificates have not been revoked. This requires TLSCACertificatePath/olcTLSCACertificatePath parameter to be set. The <level> can be specified as one of the following keywords:

• none - No CRL checks are performed
• peer - Check the CRL of the peer certificate
• all - Check the CRL for the whole certificate chain

This directive is ignored with GnuTLS.

TLSCRLFile/olcTLSCRLFile <path>

Specifies a file containing a Certificate Revocation List to be used for verifying that certificates have not been revoked.

This directive is only valid when using GnuTLS.

Using CRL Files

To load or update a CRL:

1. Place the new CRL file in the directory designated in the TLSCACertificatePath setting for slapd. When copying, ensure the new CRL file has a new, unique name. Overwriting an existing CRL file in this directory will prevent the new CRL from taking effect.
2. Use the “c_rehash” command (packaged with Symas OpenLDAP and most Linux distributions) with the directory designated in the TLSCACertificatePath setting for slapd. This creates a symbolic link to the new CRL file that slapd can read. Example:
   
   /opt/symas/bin/c_rehash /opt/symas/ssl/demoCA

Adding or updating CRL files does not require a restart of slapd.