你要撤销证书并创建一个新的。
新证书的有效期要与原撤销证书的有效期一致。
The new certificate shall have the same expiry date as the certificate that was withdrawn.
撤销访问权限和撤销证书在功能上相当;从信任存储区中删除证书可同时完成这两项任务。
Revoking access privileges and revoking a certificate are functionally equivalent; removing the certificate from the trust store accomplishes both tasks.
另一方面,使用CA 颁发的证书需要单独的机制来执行撤销证书和撤销权限这两项任务。
On the other hand, the use of CA-issued certificates requires separate mechanisms for the tasks of revoking certificates and revoking privileges.
编辑:只是注意到“撤销和删除”并不真正删除结束实体,因为他们是重新创建旧的撤销证书仍然存在。
Edit: just noticed that "revoke and delete" doesn't truly delete the end entity as if they are remade the old revoked certificates are still there.
使用除包含单个受信任存储CA之外没有其他任何内容的信任存储区,CRL提供一个等效的每DN撤销功能,撤销证书将有效撤销访问权。
With a trust store consisting of a single trusted ca and nothing more, the CRL approaches an equivalent per-DN revocation capability in which revocation of the certificate effectively revokes access.
要求是统一撤销对该特定证书的访问权,但不必对与其关联的DN这样做。
The requirement is to universally revoke access for that specific certificate, but not necessarily for the DN associated with it.
在大多数使用混合平台的集群中,较好的选择是使用自签名证书,编写CHAD出口,或者不提供按专有名称撤销访问权的功能。
In most clusters with a mix of platforms, the choices are to use self-signed certificates, write a CHAD exit, or live without the ability to revoke access per distinguished name.
然而,这些证书属于已被撤销了连接权的客户机。
However, these certificates are of clients that have been revoked of the right to connect.
如果访问完全基于自签名证书,则从信任存储区中删除证书的公钥将撤销其访问权。
If access is based entirely on self-signed certificates, deleting the public key of a certificate from the trust store revokes its access.
浏览器和其他使用数字证书的程序都可以验证这个证书已经被其属主或CA撤销了。
Browsers and other security applications using digital certificates can verify that the certificate has not been revoked by either the owner or the ca.
最后,熟悉证书撤销列表和更新它们的流程。
Finally, get familiar with certificate revocation lists and the process for updating them.
唯一一种有效的方法证书撤销列表也位于队列管理器之外。
The one thing that can help, the certificate revocation list, is also external to the queue manager.
该DN在每个上下文中仍然可行,其中包括撤销它的ca;只有DN和指纹(此证书)是无效的。
That DN is still perfectly viable in every context, including the ca that revoked it; it is only the DN and fingerprint together (this one certificate) that is invalid.
在使用CA颁发的证书时强制使用证书撤销列表。
The use of a certificate revocation list is mandatory when using CA issued certificates.
证书将使用CRL处理,权限由基于专有名称运行的机制授予或撤销。
Certificates are handled with the CRL, and privileges are granted or revoked by mechanisms that operate on the distinguished name.
在此情况下,撤销必须基于该证书的加密指纹,而提供此功能的机制就是证书撤销列表(CRL)。
Revocation in this case must be based on the cryptographic fingerprint of the certificate, and the mechanism that provides this functionality is a certificate revocation list (CRL).
撤销访问需要删除一个证书。
可以根据证书撤销列表检查服务器的证书,这一点是可选的。
The Server's certificate might be optionally checked against a certificate Revocation List.
撤销权限的更有趣的用例是SVRCONN或CLUSRCVR通道,当至少有一个CA受信任时,该通道必须匹配许多证书。
The more interesting case for revoking privileges is the SVRCONN or CLUSRCVR channel that must match many certificates when at least one CA is trusted.
提前制定策略,以便根据专有名称和具体证书撤销访问。
Establish a strategy in advance for revoking access by distinguished name as well as by individual certificate.
另外,按照惯例仅在证书遭到破坏时才撤销它,并不仅用作撤销权限的手段。
Also, it is customary to revoke a certificate only in the case that it is compromised and not simply as a means to revoke privileges.
检查证书撤销列表以确保证书还没有撤销。
A certificate revocation list is checked to ensure that the certificate has not been revoked.
最后一个文件root . crl是可选的,用于撤销服务器证书。
The last file, root.crl, is optional and is used to revoke server certificates.
这样的证书被发布到证书撤销列表(Certificate Revocation List)中,发送方和接收方都可以根据该列表检查接收到的证书。
Such certificates are published to a Certificate Revocation List, against which both the sender and receiver can choose to check the received certificates.
它没有列入证书撤销列表(certificate revocation list,CRL)中。这样可以确保不为那些过去的订阅者(换句话说,就是那些在过去的某个时间段中是客户,但现在已不再是客户的人)提供服务。
It is not listed in a certificate revocation list (CRL), which ensures that past subscribers (in other words, those that are no longer customers but were at some time in the past) are denied service.
crl(证书撤销列表,可选)。
实际上,证书类型的选择应该基于理想的安全策略和企业是否准备好建立和维护一个证书撤销列表。
The choice should really be made based on the desired security policy and whether the enterprise is prepared to set up and maintain a certificate revocation list.
如果一个通道企图使用一个已撤销的证书启动,对CRL的本地副本的检查将生成一个错误,这个连接将被拒绝。
If a channel start is attempted using a revoked certificate credential, the check of the local CRL copy will generate a hit and the connection will be refused.
您已经了解到,撤销权限可以在一个资源上阻止证书,同时在另一个资源上允许该证书。
You have seen that revoking privileges blocks a certificate on one resource while allowing it on another.
应用推荐