Crl Issuing Points; Configuring A Certificate Manager To Publish Certificates And Crls - Netscape MANAGEMENT SYSTEM 6.01 Installation And Setup Manual

CRL Issuing Points

Because CRLs can grow very large, several methods have been developed to
minimize the overhead of retrieving and delivering large CRLs. One of these
methods is based on partitioning the entire certificate space and associating a
separate CRL with every partition. This partition is called a CRL issuing or
distribution point—it is the location where a subset of all the revoked certificates are
maintained. Partitioning can be based on revocation reason, on whether the
revoked certificate is a CA certificate or end-entity certificate, on end users' names,
and so on. Each issuing point is identified by a set of names, which can be in
various forms.
Once the issuing points have been defined, they can be included in certificates so
that an application that needs to check the revocation status of a certificate can
access the CRL issuing points specified in the certificate instead of the master or
main CRL—the application would check the CRL maintained at the issuing point,
which would be smaller in size compared to the master CRL, and thus speed up
the revocation-status-checking process.
CRL distribution points can be associated with certificates by setting the
CRLDistributionPoint
By default, the Certificate Manager only generates and publishes a single CRL,
identified as the master CRL. However, for interoperatability purposes, the server
does enable you to add the
issues. For details, see section "CRLDistributionPointsExt Plug-in Module" in
Chapter 4, "Certificate Extension Plug-in Modules" of CMS Plug-Ins Guide.
Configuring a Certificate Manager to Publish
Certificates and CRLs
If you are using an LDAP-compliant directory, such as Netscape Directory Server,
to publish and manage your user and group data, you can configure the Certificate
Manager to communicate with this directory. The Certificate Manager can then
publish end-entity as well as CA certificates and the certificate revocation list (CRL)
to the directory. This way, your publishing directory acts as a common distribution
point for information about users and other entities on the network, including each
entity's current security credentials.
Once the Certificate Manager is configured to publish to the directory, many
certificate and CRL-related operations are performed automatically. For details, see
"Timing of Directory Updates" on page 587.

Configuring a Certificate Manager to Publish Certificates and CRLs

extension in them.
CRLDistributionPoint
extension to the certificates it
Chapter 19 Setting Up LDAP Publishing 595