What's A Crl - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

What's a CRL?

Server and client applications that use public-key certificates as tokens of
identification need access to information about the validity of a certificate; because
one of the factors that determines the validity of a certificate is its revocation status,
these applications need to know whether the certificate being validated has been
revoked. In that regard, the CA has a responsibility to do the following:
• Revoke the certificate if any of the certificate assertions becomes false—for
example, if the subject's key gets compromised or the status of the subject's
role or right changes. (See "Reasons for Revoking a Certificate" on page 592.)
• Make the revoked certificate available to parties or applications that need to
verify its validity status.
One of the standard methods for conveying the revocation status of certificates is
by publishing a list of revoked certificates. This list is known as the certificate
revocation list (CRL). The CRL is a publicly available list of certificates that have
been revoked.
A CRL is issued and digitally signed by the certificate authority (CA) that issued
the certificates listed in the CRL. The CA may use a single key pair to sign the
certificates and CRLs or two separate key pairs, one for signing certificates and
another one for signing CRLs. The CA's function includes creating the CRLs
periodically and distributing them to other applications. For example, the CA may
publish the CRL to a global directory which other applications may use for
checking the revocation status of a certificate or from which other applications can
retrieve the CRL.
In Certificate Management System, the Certificate Manager can create the CRL,
sign it, and publish it to any of the configured repositories, such as an LDAP
directory, a file, and an OCSP responder. Configuring a Certificate Manager to
publish CRLs is optional. Note that the Registration Manager cannot create or
publish the CRL.
By default, the Certificate Manager uses a single key pair for signing the certificates
it issues and CRLs it generates. This key pair and the corresponding certificate is
explained in "CA Signing Key Pair and Certificate" on page 421. You may choose
to create another key pair for the Certificate Manager and use it exclusively for
signing the CRLs it generates. For details, see "CRL Signing Key Pair and
Certificate" on page 423.
Normally, whenever a certificate is revoked (by administrators, agents, or end
users), the Certificate Manager automatically updates the status of the certificate in
its internal database—it marks the copy of the certificate in its internal database as
revoked and removes the revoked certificate from the directory, if the Certificate
Chapter 19 Setting Up LDAP Publishing
Publishing of CRLs
591