Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 183

NOTE
All changes to the defaults only affect objects created after this point. Already
existing CAs and certificates remain unchanged.
17.2.6 Creating CRLs
If compromised or otherwise unwanted certificates should be excluded from further
use, they must first be revoked. The procedure for this is explained in
"Creating or Revoking a Sub-CA"
or Revoking User Certificates"
be created and published with this information.
The system maintains only one CRL for each CA. To create or update this CRL, do the
following:
1 Start YaST and open the CA module.
2 Enter the required CA, as described in
Sub-CA" (page 166).
3 Click CRL. The dialog that opens displays a summary of the last CRL of this
CA.
4 Create a new CRL with Generate CRL if you have revoked new sub-CAs or
certificates since its creation.
5 Specify the period of validity for the new CRL (default: 30 days).
6 Click OK to create and display the CRL. Afterwards, you must publish this CRL.
NOTE
Applications that evaluate CRLs reject every certificate if CRL is not available
or expired. As a PKI provider, it is your duty always to create and publish a new
CRL before the current CRL expires (period of validity). YaST does not provide
a function for automating this procedure.
(page 166) (for sub-CAs) and
(page 168) (for user certificates). After this, a CRL must
Section 17.2.3, "Creating or Revoking a
Section 17.2.3,
Section 17.2.4, "Creating
Managing X.509 Certification 171