Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual page 831

42.2.5 Creating CRLs
If compromised or otherwise unwanted certificates should be excluded from further
use, they must first be revoked. The procedure for this is explained in
"Creating or Revoking a Sub-CA"
or Revoking User Certificates"
be created and published with this information.
The system maintains only one CRL for each CA. To create or update this CRL, do the
following:
1 Start YaST and open the CA module.
2 Enter the required CA, as described in
Sub-CA" (page 808).
3 Click CRL. The dialog that opens displays a summary of the last CRL of this
CA.
4 Create a new CRL with Generate CRL if you have revoked new sub-CAs or
certificates since its creation.
5 Specify the period of validity for the new CRL (default: 30 days).
6 Click OK to create and display the CRL. Afterward, you must publish this CRL.
TIP
Applications that evaluate CRLs reject every certificate if CRL is not available
or expired. As a PKI provider, it is your duty always to create and publish a new
CRL before the current CRL expires (period of validity). YaST does not provide
a function for automating this procedure.
42.2.6 Exporting CA Objects to LDAP
The executing computer should be configured with the YaST LDAP client for LDAP
export. This provides LDAP server information at runtime that can be used when
completing dialog fields. Otherwise, although export may be possible, all LDAP data
(page 808) (for sub-CAs) and
(page 809) (for user certificates). After this, a CRL must
Section 42.2.2, "Creating or Revoking a
Section 42.2.2,
Section 42.2.3, "Creating
Managing X.509 Certification 813