Table of Contents
Advertisement
CRL Extension Reference
CRL Extension Reference
To enable you to issue or publish X.509 v2 CRLs (that is, CRLs with extensions),
CMS provides a set of extension rules; each rule enables you to configure the
Certificate Manager to set a particular CRL or CRL-entry extension in CRLs it
issues.
When deciding whether to add CRL extensions, keep in mind that not all
applications support version 2 CRLs. Among the applications that do support
extensions, not all applications will recognize every extension. For general
guidelines on using these extensions in CRLs, see Appendix G, "Certificate and
CRL Extensions."
AuthorityKeyIdentifier
The
AuthorityKeyIdentifier
to set the Authority Key Identifier Extension in CRLs. The extension is used to
identify the public key that corresponds to the private key used by a CA to sign
CRLs.
The PKIX standard recommends that the CA must include this extension in all
CRLs it issues. The reason for this is that in certain situations, a CA's public key
may change (for example, when the key gets updated) or the CA may have
multiple signing keys (either because of multiple concurrent key pairs or because
of key changeover). In these cases, the CA ends up with more than one key pair.
When verifying a signature on a certificate, other applications need to know which
key was used in the signature.
For general information about the authority key identifier extension in CRLs, see
"authorityKeyIdentifier" on page 737.
Table 14-1 AuthorityKeyIdentifierExt Configuration Parameters
Parameter
enable
critical
608
Netscape Certificate Management System Administrator's Guide • February 2003
rule enables you to configure a Certificate Manager
Description
Specifies whether the rule is enabled or disabled. Select to enable,
deselect to disable (default).
Select if you want the server to mark the extension critical; deselect
if you want the server to mark the extension noncritical (default).
Advertisement
Table of Contents
