Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
This article describes how to create a Certificate Revocation List (CRL) procedure that defines the parameters to be used when issuing CRLs within Nexus Smart ID Certificate Manager. This task is done in the Administrator's Workbench s workbench (AWB) in Certificate Manager.
Prerequisites
Expand | ||
---|---|---|
| ||
The following prerequisites apply:
It is recommended that formats, which are not available, be generated before performing this task. |
Step-by-step instruction
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
To create a CRL procedure:
|
Expand | ||
---|---|---|
| ||
|
Theory
Expand | ||
---|---|---|
| ||
This figure illustrates which CRL combinations are possible to define in a CRL procedure.
Since the certificates do not contain any information about the CRL, the procedures defined in the X.509 or PKIX specifications cannot be used to verify that the CRL contains revocation information for the specified certificates. This is also the case if a Complete and Indirect CRL is specified to cover a CA that already has issued certificates, prior to the creation of the CRL procedure. Therefore, applications that should use a Complete and Indirect CRL need additional information, provided by other means, to be able to verify that the CRL contains revocation information for the specified certificates. |
Expand | ||
---|---|---|
| ||
Normally a CRL distribution point extension is added for all matching CRL procedures when a certificate is issued, see section “CRL distribution points”. The extension contains all distribution points locations that are marked to be included in new certificates. An alternative to this is to add a CRL procedure to a certificate procedure. In this case, the associated CRL distribution point extension will only be included in those certificates that were issued with certificate procedure(s) that include the CRL procedure, that is, the CRL created by the CRL procedure will cover revocation status for a limited set of certificates. This can be used to create a CRL that covers revocation for certificates for a special purpose, for example, for OCSP responder certificates. Only CRL procedures that would not be used by the normal matching rules (see section “CRL distribution points”) can be selected in a certificate procedure, that is, only CRL procedures with the following settings can be selected in a certificate procedure:
These parameters can not be changed as long as a CRL procedure is included in a certificate procedure. The references to a CRL procedure is shown in the Cross Reference section when viewing a CRL procedure. |
Impact on certificate and CRL extensions
A CRL procedure defines if the CRL distribution points (CRLDP) extension and freshest CRL extension in certificates and/or the issuing distribution point (IDP) extension in the CRL shall be created. For each CRL procedure an entry may be created in the CRLDP, freshest CRL or the IDP extensions.
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
The CRL distribution points (CRLDP) extension identifies how CRL information is obtained for the certificate. When creating the CRLDP extension, all CRL procedures that are relevant for the certificate to be issued are used to create distribution points in the CRLDP extension. When issuing a certificate, a CRL procedure will be used if
For these CRL procedures, an entry in the CRLDP extension will be created if the CRL procedure is selected in the issuing certificate procedure, or if any of the following conditions are met in the CRL procedure:
|
Expand | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
The freshest CRL (also known as delta CRL distribution point) extension identifies how delta CRL information is obtained. A CRL procedure that creates a CRLDP entry as specified above will also create a freshest CRL extension in a certificate if Issue Delta is set to Yes and Delta DP to certificate is set to Yes. The freshest CRL extension will have the same content as the CRLDP entry, except when a different distribution point is specified for the delta CRL.
|
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
The issuing distribution point is a critical CRL extension that identifies the CRL distribution point and scope for a particular CRL, and it indicates whether the CRL covers revocation for a limited set of reason codes. An IDP extension is created for CRLs that are specified as partitioned and/or indirect CRL in the CRL procedure.
|
This article is valid from CM for Certificate Manager 8.2 and later.
Related information
Child pages (Children Display) |
---|