Crl Issuing Points; Delta Crls; How Crls Work - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR:
Table of Contents
Advertisement
About CRLs
CRL Issuing Points
Because CRLs can grow very large, several methods have been developed to minimize the
overhead of retrieving and delivering large CRLs. One of these methods is based on
partitioning the entire certificate space and associating a separate CRL with every partition.
This partition is called a CRL issuing point—it is the location where a subset of all the
revoked certificates are maintained. Partitioning can be based on whether the revoked
certificate is a CA certificate or end-entity certificate. Each issuing point is identified by its
name.
Once the issuing points have been defined, they can be included in certificates so that an
application that needs to check the revocation status of a certificate can access the CRL
issuing points specified in the certificate instead of the master or main CRL—the
application would check the CRL maintained at the issuing point, which would be smaller
in size compared to the master CRL, and thus speed up the revocation-status-checking
process.
CRL distribution points can be associated with certificates by setting the
extension in them.
CRLDistributionPoint
By default, the Certificate Manager only generates and publishes a single CRL, identified as
the master CRL. You can also define an issuing point for CA signing certificates, and an
issuing point that includes all revoked certificate information including expired certificates.
Delta CRLs
You can issue Delta CRLs for any issuing point defined. A delta CRL will contain
information about any certificates revoked since the last update to the full CRL. You set up
Delta CRLs for an issuing point by enabling the
extension.
DeltaCRLIndicator
How CRLs Work
You set up the generation of CRLs by specifying issuing points, configuring those issuing
points, and setting up CRL extensions, if desired.
When the CRL feature is enabled by enabling one or more issuing points, the server collects
revocation information as certificates are revoked. The server attempts to match the revoked
certificate against all issuing points that are set up. A given certificate can match none of the
issuing points, one of the issuing points, several of the issuing points, or all of the issuing
points. When a certificate that has been revoked matches an issuing point, the server stores
the information about the certificate in the cache for that issuing point.
Chapter 15
Revocation and CRLs
577
Advertisement
Table of Contents
Need help?
Do you have a question about the CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR and is the answer not in the manual?
Questions and answers