Issuing Crls - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 14. Revocation and CRLs
NOTE
When changes are made to the extensions for an issuing point, no delta CRL is created
with the next full CRL for that issuing point. A delta CRL is created with the second full
CRL that is created, and then all subsequent full CRLs.
The internal database stores only the latest CRL and delta CRL. As each new CRL is created, the old
one is overwritten.
When CRLs are published, each update to the CRL and delta CRL is published to the locations
specified in the publishing set up. The method of publishing determines how many CRLs are stored.
For file publishing, each CRL that is published to a file using the number for the CRL, so no file is
overwritten. For LDAP publishing, each CRL that is published replaces the old CRL in the attribute
containing the CRL in the directory entry.
By default, CRLs do not contain information about revoked expired certificates. The server can include
revoked expired certificates by enabling that option for the issuing point. If expired certificates are
included, information about revoked certificates is not removed from the CRL when the certificate
expires. If expired certificates are not included, information about revoked certificates is removed from
the CRL when the certificate expires.

14.4. Issuing CRLs

Set up CRLs by doing the following:
1. The Certificate Manager uses its CA signing key to sign CRLs. To use a separate signing key pair
for CRLs, set up a CRL singing key and change the Certificate Manager configuration to use this
key to sign CRLs. See
2. Set up CRL issuing points. An issuing point is already set up and enabled for a master CRL.
326
Section 4.11, "CRL Signing Key Pair and Certificate"
for more information.