Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION Installation Manual page 829

Field
List of revoked certificates
Extensions
42.1.4 Repository for Certificates and CRLs
The certificates and CRLs for a CA must be made publicly accessible using a repository.
Because the signature protects the certificates and CRLs from being forged, the repos-
itory itself does not need to be secured in a special way. Instead, it tries to grant the
simplest and fastest access possible. For this reason, certificates are often provided on
an LDAP or HTTP server. Find explanations about LDAP in Chapter 36, LDAP—A
Directory Service (page 667). Chapter 40, The Apache HTTP Server (page 745) contains
information about the HTTP server.
42.1.5 Proprietary PKI
YaST contains modules for the basic management of X.509 certificates. This mainly
involves the creation of CAs, sub-CAs, and their certificates. The services of a PKI go
far beyond simply creating and distributing certificates and CRLs. The operation of a
PKI requires a well-conceived administrative infrastructure allowing continuous update
of certificates and CRLs. This infrastructure is provided by commercial PKI products
and can also be partly automated. YaST provides tools for creating and distributing
CAs and certificates, but cannot currently offer this background infrastructure. To set
up a small PKI, you can use the available YaST modules. However, you should use
commercial products to set up an "official" or commercial PKI.
Content
Every entry contains the serial number of the certificate,
the time of revocation, and optional extensions (CRL
entry extensions)
Optional CRL extensions
Managing X.509 Certification 811