Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION Installation Manual page 837

42.2.5 Creating CRLs
If compromised or otherwise unwanted certificates should be excluded from further
use, they must first be revoked. The procedure for this is explained in Section 42.2.2,
"Creating or Revoking a Sub-CA" (page 814) (for sub-CAs) and Section 42.2.3, "Creating
or Revoking User Certificates" (page 815) (for user certificates). After this, a CRL must
be created and published with this information.
The system maintains only one CRL for each CA. To create or update this CRL, do the
following:
1 Start YaST and open the CA module.
2 Enter the required CA, as described in Section 42.2.2, "Creating or Revoking a
Sub-CA" (page 814).
3 Click CRL. The dialog that opens displays a summary of the last CRL of this
CA.
4 Create a new CRL with Generate CRL if you have revoked new sub-CAs or
certificates since its creation.
5 Specify the period of validity for the new CRL (default: 30 days).
6 Click OK to create and display the CRL. Afterwards, you must publish this CRL.
TIP
Applications that evaluate CRLs reject every certificate if CRL is not available
or expired. As a PKI provider, it is your duty always to create and publish a new
CRL before the current CRL expires (period of validity). YaST does not provide
a function for automating this procedure.
42.2.6 Exporting CA Objects to LDAP
The executing computer should be configured with the YaST LDAP client for LDAP
export. This provides LDAP server information at runtime that can be used when
completing dialog fields. Otherwise, although export may be possible, all LDAP data
Managing X.509 Certification 819