Revoking an SSL Certificate

Describes how to revoke a Sybase SSL certificate. In some situations, specific SSL certificates may need to be revoked for security or administrative reasons.

1. Obtain a Certificate Revocation List (CRL).

   If the SSL certificate installed was provided by a third-party vendor, contact the vendor for instructions on obtaining the CRL. If the SSL certificate was not provided by a third-party vendor and you installed it yourself, then generate the CRL yourself, using a CRL tool such as crlutil from Mozilla.

2. If your SSL client or server authentication is turned on, create a preferences.xml file in one of the following locations:

   • The Sybase CEP Server bin directory.

   • The default SybaseC8Repository directory. On Microsoft Windows, this directory is:

     C:\Documents And Settings\
     user-name
     \
     		My Documents\SybaseC8Repository\
     version
     

     On UNIX-like operating systems, this directory is:

     $HOME/SybaseC8Repository/
     version
     

   • The current working directory.

3. The preferences.xml file requires instructions to enable the c8_client utility to search the appropriate repository for the CA certificate (in the case of SSL server authentication) or the Client Certificate (in the case of SSL client authentication).

   Enter the following lines in this file:

   <preferences xmlns=
   "http://schema.sybase.com/preference/2004/05">
   	<preference name="SybaseC8/General/NSSFolder"
      value="
   certificate-database-directory
   "/>
   	<preference name="SybaseC8/Security/SSL/ServerAuthenticate"
      value="
   true-or-false
   "/>
   	<!--<preference name="SybaseC8/Security/SSL/ServerCertificate"
      value="
   SSL-certificate-name
   "/> -->
   	<!--<preference name="SybaseC8/Security/SSL/ClientCertificate"
      value="
   SSL-certificate-name
   "/> -->
   	</preferences>
   

   where:

   • certificate-database-directory is the directory where the certificate database resides.

   • true-or-false is

     
     true
     

     if you want the client to perform server authentication against the server. Otherwise, set this value to

     
     false
     

   • SSL-certificate-name is the nickname of the CA Certificate (in the case of SSL server authentication) or the Client Certificate (in the case of SSL client authentication). Enter the certificate name under the "SybaseC8/Security/SSL/ServerCertificate" or "SybaseC8/Security/SSL/ClientCertificate", as appropriate, and remove the markings around the preference where the nickname was entered.

4. Use the c8_client command line utility to import the CRL.

   This utility is located in the Sybase CEP Server bin directory. To import the CRL, make sure that Sybase CEP Server is running and give the following command:

   c8_client --cmd=importCRL  
      --server-uri=https://
   hostname:port
   /Server  
      --crl-file=
   crl-file-path-and-name
   

   If the command cannot locate the CRL file in your current working directory, then

   
   crl-file-path-and-name
   

   should specify the full path and name of the file. Otherwise, you may simply specify the file name.