Publishing Crls; Crl Issuing Points; Delta Crls; How Crls Work - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Publishing CRLs

14.3.2. Publishing CRLs
The Certificate Manager can publish the CRL to a file, an LDAP-compliant directory, or to an OCSP
responder. Where and how frequently CRLs are published are configured in the Certificate Manager.
Chapter 15, Publishing.
For information about setting up CRL publishing, see

14.3.3. CRL Issuing Points

Because CRLs can grow very large, there are several methods to minimize the overhead of retrieving
and delivering large CRLs. One of these methods partitions the entire certificate space and associates
a separate CRL with every partition. This partition is called a CRL issuing point, the location where a
subset of all the revoked certificates is maintained. Partitioning can be based on whether the revoked
certificate is a CA certificate or end-entity certificate. Each issuing point is identified by its name.
By default, the Certificate Manager generates and publishes a single CRL, the master CRL. An issuing
point can be defined for user certificates, for CA signing certificates, or for all revoked certificate
information, including expired certificates.
Once the issuing points have been defined, they can be included in certificates so that an application
that needs to check the revocation status of a certificate can access the CRL issuing points specified
in the certificate instead of the master or main CRL. Since the CRL maintained at the issuing point is
smaller than the master CRL, checking the revocation status is much faster.
CRL distribution points can be associated with certificates by setting the CRLDistributionPoint
extension.

14.3.4. Delta CRLs

Delta CRLs can be issued for any defined issuing point. A delta CRL contains information about any
certificates revoked since the last update to the full CRL. Delta CRLs for an issuing point are created
by enabling the DeltaCRLIndicator extension.

14.3.5. How CRLs Work

CRLs are generated when issuing points are defined and configured and any CRL extensions are
enabled.
When CRLs are enabled, the server collects revocation information as certificates are revoked. The
server attempts to match the revoked certificate against all issuing points that are set up. A given
certificate can match none of the issuing points, one of the issuing points, several of the issuing points,
or all of the issuing points. When a certificate that has been revoked matches an issuing point, the
server stores the information about the certificate in the cache for that issuing point.
The cache is copied to the internal directory at the intervals set for copying the cache. When the
interval for creating a CRL is reached, a CRL is created from the cache. If a delta CRL has been set
up for this issuing point, a delta CRL is also created at this time. The full CRL contains all revoked
certificate information since the Certificate Manager began collecting this information. The delta CRL
contains all revoked certificate information since the last update of the full CRL.
The full CRL and the delta CRL have the same number, allowing clients to determine a match between
them. This numbering is how the delta CRL references the full CRL from which it gathers information.
For example, if the full CRL is the first CRL, it may be known as CRL 1. The corresponding delta CRL
would be called delta CRL 1. Therefore, delta CRL 1 refers back to CRL 1 as its full CRL.
325