Standard X.509 V3 Crl Extensions; Extensions For Crls - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Appendix A. Certificate and CRL Extensions
A.5. Standard X.509 v3 CRL Extensions
In addition to certificate extensions, the X.509 proposed standard defines extensions to CRLs, which
provide methods for associating additional attributes with Internet CRLs. These are one of two kinds:
extensions to the CRL itself and extensions to individual certificate entries in the CRL.
Section A.5.1, "Extensions for CRLs"
•
Section A.5.2, "CRL Entry Extensions"
•
A.5.1. Extensions for CRLs
The following CRL descriptions are defined as part of the Internet X.509 v3 Public Key Infrastructure
proposed standard.
Section A.5.1.1, "authorityKeyIdentifier"
•
Section A.5.1.2, "CRLNumber"
•
Section A.5.1.3, "deltaCRLIndicator"
•
Section A.5.1.5, "issuerAltName"
•
Section A.5.1.6, "issuingDistributionPoint"
•
A.5.1.1. authorityKeyIdentifier
A.5.1.1.1. OID
2.5.29.35
A.5.1.1.2. Discussion
The Authority Key Identifier extension for a CRL identifies the public key corresponding to the private
key used to sign the CRL. For details, see the discussion under certificate extensions at
"The authorityKeyIdentifier".
The PKIX standard recommends that the CA must include this extension in all CRLs it issues because
a CA's public key can change, for example, when the key gets updated, or the CA may have multiple
signing keys because of multiple concurrent key pairs or key changeover. In these cases, the CA ends
up with more than one key pair. When verifying a signature on a certificate, other applications need to
know which key was used in the signature.
A.5.1.1.3. Parameters
Parameter
enable
critical
Table A.4. AuthorityKeyIdentifierExt Configuration Parameters
474
Section A.3.2,