Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 602

About CRLs
When the CRL feature is enabled by enabling one or more issuing points, the server
collects revocation information as certificates are revoked. The server attempts to
match the revoked certificate against all issuing points that are set up. A given
certificate can match none of the issuing points, one of the issuing points, several of
the issuing points, or all of the issuing points. When a certificate that has been
revoked matches an issuing point, the server stores the information about the
certificate in the cache for that issuing point.
The cache is copied to the internal directory at the intervals that you specify for
copying the cache. When the interval for creating a CRL is reached, as specified in
the configuration for that issuing point, a CRL is created from the cache. If a delta
CRL has been set up for this issuing point, a delta CRL is also created at this time.
The full CRL contains all revoked certificate information since the Certificate
Manager began collecting this information. The delta CRL contains all revoked
certificate information since the last update of the full CRL.
The full CRL and the delta CRL have the same number allowing clients to
determine a match between them. The delta CRL also contains information about
which CRL is the full CRL that this delta records the information since its creation.
For example, if the numbering were as simple as 1,2,3, the first CRL would be CRL
1. The second CRL would be CRL 2 and the delta would be deltaCRL 2. The
deltaCRL 2 would reference CRL 1 as the full CRL that this delta contains the
updates since its issuance.
Note that when changes are made to the extensions for an issuing point, no delta
CRL will be created along with the next full CRL that is created for that issuing
point. A delta CRL will be created along with the second full CRL that is created,
and all subsequent full CRLs that are created.
The internal database stores only the latest CRL and delta CRL. As each new CRL
is created, the old one is overwritten.
When you publish CRLs, each update to the CRL and delta CRL is published to the
locations specified in the publishing set up. The method of publishing determines
how many CRLs are stored. For file publishing, each CRL that is published to a file
using the number for the CRL, so no file is overwritten. For LDAP publishing, each
CRL that is published replaces the old CRL in the attribute containing the CRL in
the directory entry.
Note that by default, CRLs do not contain information about revoked expired
certificates. You can enable the server to include revoked expired certificates by
selecting that option for the issuing point. If you choose to include expired
certificates, information about revoked certificates will not be removed from the
CRL when the certificate expires. If you choose not to include expired certificates,
information about revoked certificates will be removed from the CRL when the
certificate expires.
602 Netscape Certificate Management System Administrator's Guide • February 2003