Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 174

Field
Extensions
17.1.3 Blocking X.509 Certificates
If a certificate becomes untrustworthy before it has expired, it must be blocked imme-
diately. This can be needed if, for example, the private key has accidentally been made
public. Blocking certificates is especially important if the private key belongs to a CA
rather than a user certificate. In this case, all user certificates issued by the relevant CA
must be blocked immediately. If a certificate is blocked, the PKI (the responsible CA)
must make this information available to all those involved using a certificate revocation
list (CRL).
These lists are supplied by the CA to public CRL distribution points (CDPs) at regular
intervals. The CDP can optionally be named as an extension in the certificate, so a
checker can fetch a current CRL for validation purposes. One way to do this is the online
certificate status protocol (OCSP). The authenticity of the CRLs is ensured with the
signature of the issuing CA.
Table 17.2
Field
Version
Signature
Issuer
This Update
Next Update
162 Security Guide
Content
Optional additional information, such as "KeyUsage"
or "BasicConstraints"
Table 17.2
X.509 Certificate Revocation List (CRL)
Content
The version of the CRL, such as v2
The ID of the algorithm used to sign the CRL
Unique name (DN) of the publisher of the CRL (usually
the issuing CA)
Time of publication (date, time) of this CRL
Time of publication (date, time) of the next CRL
shows the basic parts of a X.509 CRL.