Setting Up The Issuance Of Crls - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Setting Up the Issuance of CRLs

The cache is copied to the internal directory at the intervals that you specify for copying the
cache. When the interval for creating a CRL is reached, as specified in the configuration for
that issuing point, a CRL is created from the cache. If a delta CRL has been set up for this
issuing point, a delta CRL is also created at this time. The full CRL contains all revoked
certificate information since the Certificate Manager began collecting this information. The
delta CRL contains all revoked certificate information since the last update of the full CRL.
The full CRL and the delta CRL have the same number allowing clients to determine a
match between them. The delta CRL also contains information about which CRL is the full
CRL that this delta records the information since its creation. For example, if the numbering
were as simple as 1,2,3, the first CRL would be CRL 1. The second CRL would be CRL 2
and the delta would be deltaCRL 2. The deltaCRL 2 would reference CRL 1 as the full CRL
that this delta contains the updates since its issuance.
Note that when changes are made to the extensions for an issuing point, no delta CRL will
be created along with the next full CRL that is created for that issuing point. A delta CRL
will be created along with the second full CRL that is created, and all subsequent full CRLs
that are created.
The internal database stores only the latest CRL and delta CRL. As each new CRL is
created, the old one is overwritten.
When you publish CRLs, each update to the CRL and delta CRL is published to the
locations specified in the publishing set up. The method of publishing determines how
many CRLs are stored. For file publishing, each CRL that is published to a file using the
number for the CRL, so no file is overwritten. For LDAP publishing, each CRL that is
published replaces the old CRL in the attribute containing the CRL in the directory entry.
Note that by default, CRLs do not contain information about revoked expired certificates.
You can enable the server to include revoked expired certificates by selecting that option
for the issuing point. If you choose to include expired certificates, information about
revoked certificates will not be removed from the CRL when the certificate expires. If you
choose not to include expired certificates, information about revoked certificates will be
removed from the CRL when the certificate expires.
Setting Up the Issuance of CRLs
The process of setting up the CRL feature includes the following tasks:
The Certificate Manager will use its CA signing key to sign CRLs. If you want to use a
1.
separate signing key pair for CRLs, you need to set up a CRL singing key and change
the Certificate Manager configuration to allow it to use this key to sign CRLs. See
"Getting a CRL Signing Key Pair and Certificate," on page 104 for details on setting
this up.
578 Red Hat Certificate System Administrator's Guide • September 2005