Setting Crl Extensions - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual
Hide thumbs
Also See for CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR:
Table of Contents
Advertisement
Setting Up the Issuance of CRLs
Include expired certificates. Select if you want the server to include revoked
certificates that have expired in the CRL. If this is enabled, information about revoked
certificates will remain in the CRL after the certificate expires. If you do not enable,
information about revoked certificates is removed when the certificate expires.
CA certificates only. Select to include only CA certificates in the CRL; deselect to
include all certificates. Selecting this option will create an Authority Revocation List
(ARL) listing only revoked CA certificates.
Allow extensions. Select if you want to allow extensions in the CRL. If you enable this
option, the server generates and publishes CRLs conforming to X.509 version 2
standard. If you disable this option, the server generates and publishes CRLs
conforming to X.509 version 1 standard. By default, the server publishes version 1
CRLs. If you enable this option, be sure to set the required CRL extensions as
described in "Setting CRL Extensions" on page 582.
Note: Extensions must be turned on in order to create delta CRLs.
Revocation list signing algorithm. Select the algorithm the server should use to sign
the CRL. If the Certificate Manager's signing key type is RSA, select
MD5 with RSA
DSA, select
To save your changes, click Save.
4.
If you selected Allow extensions for this issuing point, you need to configure the
5.
extensions for this issuing point. See "Setting CRL Extensions," on page 582 for
details.
Setting CRL Extensions
Complete this step only if you configured the Certificate Manager to create version 2 CRLs
in the previous step—that is, if you selected the "Allow extensions" option in when you
configured CRLs for each issuing point.
During installation, the Certificate Manager creates default CRL extension rules. Note that
the server is configured to add the CRL Reason extension only; all the other rules are in the
disabled state. In this step, you modify the default rules to suit your organization's
requirements.
To specify the CRL extensions:
In the navigation tree, select Certificate Manager, and then select CRL Issuing Points.
1.
Next, select the issuing point in which you want to set extensions and click the plus
sign. Next select the CRL Extension entry below the issuing point.
582
Red Hat Certificate System Administrator's Guide • September 2005
, or
SHA-1 with RSA
.
SHA-1 with DSA
. If the Certificate Manager's signing key type is
,
MD2 with RSA
Advertisement
Table of Contents
