Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION Installation Manual page 828

Field
Extensions
42.1.3 Blocking X.509 Certificates
If a certificate becomes untrustworthy before it has expired, it must be blocked imme-
diately. This can be needed if, for example, the private key has accidentally been made
public. Blocking certificates is especially important if the private key belongs to a CA
rather than a user certificate. In this case, all user certificates issued by the relevant CA
must be blocked immediately. If a certificate is blocked, the PKI (the responsible CA)
must make this information available to all those involved using a certificate revocation
list (CRL).
These lists are supplied by the CA to public CRL distribution points (CDPs) at regular
intervals. The CDP can optionally be named as an extension in the certificate, so a
checker can fetch a current CRL for validation purposes. One way to do this is the online
certificate status protocol (OCSP). The authenticity of the CRLs is ensured with the
signature of the issuing CA. Table 42.2, "X.509 Certificate Revocation List (CRL)"
(page 810) shows the basic parts of a X.509 CRL.
Table 42.2
Field
Version
Signature
Issuer
This Update
Next Update
810 Installation and Administration
Content
Optional additional information, such as "KeyUsage"
or "BasicConstraints"
X.509 Certificate Revocation List (CRL)
Content
The version of the CRL, such as v2
The ID of the algorithm used to sign the CRL
Unique name (DN) of the publisher of the CRL (usually
the issuing CA)
Time of publication (date, time) of this CRL
Time of publication (date, time) of the next CRL