000014841 - How to retrieve the CRL from RSA Certificate Manager via ldapsearch

Document created by RSA Customer Support Employee on Jan 30, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014841
Applies ToRSA Product Set: RSA Certificate Manager (RCM)
RSA Version/Condition: 6.8
Platform: Microsoft Windows Server 2003 SP2
Platform (Other): Certificate Revocation List (CRL)
IssueNeed to pull automatically generated CRLs (Certificate Revocation Lists) from RSA Certificate Manager (RCM) on regular basis.
CRL timers are configured on RCM to automatically generate CRLs for the selected CAs.
ResolutionFollow the steps listed below to create a Windows batch file and then use Windows Scheduled Tasks to pull CRL on regular intervals:
  1. Create a batch file, say pullCRL.bat, on Windows with the following contents:
    @echo OFF
    REM C:\CRL folder will contain the CRL retrieved from RCM
    set TEMP=C:\crl
    REM Assuming ldapsearch tool is available under C:\ldapsearch folder
    cd c:\ldapsearch
    REM Assuming RCM is installed on rcmhost.domain.net and RCM Secure Directory Server LDAP port is 389
    REM Assuming that the CRL being pulled is for CA with md5=<CA-MD5> (replace <CA-MD5> with actual md5)
    ldapsearch -h rcmhost.domain.net -p 389 -1 -T -t -b \ "(&(objectclass=xuda_rl)(md5=<CA-MD5>))" revocationlist
    cd c:\crl
    REM Lets wait for 2 seconds:
    choice /t 2 /d y
    REM Replace name of the file from 'CAnickname.crl' to a filename with actual nickname of the CA and with file extension .crl
    if exist ldapsearch-revocationlist* del CAnickname.crl
    REM Add CRL header to the CRL file being created:
    echo -----BEGIN X509 CRL----->>CAnickname.crl
    REM Now push the PEM encoded CRL content to the new CRL file:
    type ldapsearch-revocationlist* >>CAnickname.crl
    REM If the last line in the new CRL file is not empty, need to add an empty line:
    echo. >>CAnickname.crl
    REM Add CRL footer to the CRL file:
    echo -----END X509 CRL----->>CAnickname.crl
    REM Now we can delete the ldapsearch result file
    del ldapsearch-revocationlist*

  2. Create a Windows Scheduled Task to run the above batch file (to retrieve CRL) on regular basis.
    Start => All Programs => Accessories => System Tools => Scheduled Tasks => follow prompts to select pullCRL.bat as the program and your preferred schedule.
Legacy Article IDa49110