Delta Crls; Publishing Crls; Certificate Revocation; Cmc Revocation - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 6. Revoking Certificates and Issuing CRLs
a separate CRL with every partition. This partition is called a CRL issuing point, the location where a
subset of all the revoked certificates is maintained. Partitioning can be based on whether the revoked
certificate is a CA certificate or end-entity certificate. Each issuing point is identified by its name.
By default, the Certificate Manager generates and publishes a single CRL, the master CRL. An issuing
point can be defined for user certificates, for CA signing certificates, or for all revoked certificate
information, including expired certificates.
Once the issuing points have been defined, they can be included in certificates so that an application
that needs to check the revocation status of a certificate can access the CRL issuing points specified
in the certificate instead of the master or main CRL. Since the CRL maintained at the issuing point is
smaller than the master CRL, checking the revocation status is much faster.
CRL distribution points can be associated with certificates by setting the CRLDistributionPoint
extension.

6.1.4. Delta CRLs

Delta CRLs can be issued for any defined issuing point. A delta CRL contains information about any
certificates revoked since the last update to the full CRL. Delta CRLs for an issuing point are created
by enabling the DeltaCRLIndicator extension.

6.1.5. Publishing CRLs

The Certificate Manager can publish the CRL to a file, an LDAP-compliant directory, or to an OCSP
responder. Where and how frequently CRLs are published are configured in the Certificate Manager,
Chapter 8, Publishing Certificates and CRLs.
as described in
Because CRLs can be very large, publishing CRLs can take a very long time, and it is possible for
the process to be interrupted. Special publishers can be configured to publish CRLs to a file over
HTTP1.1, and, if the process is interrupted, the CA subsystem's web server can resume publishing
Section 8.3,
at the point it was interrupted, instead of having to begin again. This is described in
"Publishing CRLs over HTTP".
6.1.6. Certificate Revocation Pages
The end-entities page of the Certificate Manager includes default HTML forms for SSL client
authenticated revocation. The forms are accessible from the Revocation tab. The form for SSL client
authenticated-revocation is shown by clicking the User Certificate link.
To change the form appearance to suit an organization's requirements, edit the
UserRevocation.html, the form that allows SSL client authenticated revocation of client or
personal certificates. The file is the in /var/lib/subsystem_name/webapps/subsystem_name/
ee/subsystem_type directory.

6.2. CMC Revocation

CMC revocation allows users to set up a revocation client, sign the revocation request with an agent
certificate, and then send the signed request to the Certificate Manager. When this method is used,
the Certificate Manager automatically issues certificates when a valid certificate request signed with
the agent's certificate is received and automatically revokes a certificate when a valid revocation
request signed with the agent's certificate is received.
172