Page Comparison

To create a CRL procedure:

1. In AWB, select New > CRL procedure.

2. In the Create CRL Procedure Request dialog, enter the Procedure name that should appear in the CRL procedures sub-group in the explorer bar. This field is mandatory.

3. Set the procedure State to Active or Closed as required.
4. Select Domain and check Visible in subdomain, if applicable.

5. Click the CRL issuer browse button and select the required CA. This field is mandatory.

6. Click the CRL format browse button and select the required format. This field is mandatory.
   

7. Insert excerpt
   Customize format in AWB Customize format in AWB nopanel true

8. In Distribution rules, click + to add a distribution rule. Add all relevant distribution rules. This field is mandatory.

9. Set the Immediate issue parameter using the Yes and No options. If Yes is selected, any certificate revocation will cause an extra CRL to be issued.

10. Modify the Update interval, which means the time between successive full CRL issues.
    Select in turn the years, months, days, hours and minutes and adjust the amounts using the up and down arrows. The date and time units may also be entered manually.

11. Modify the Margin. The margin is added to the update interval to ensure that a valid CRL is always available (for example, during download of the next CRL).
    Select in turn the years, months, days, hours and minutes and adjust the amounts using the up and down arrows. The date and time units may also be entered manually.

12. If the CRL should be built at a specific time, add an hours and minutes specification in the Build at (hh:mm) field. Otherwise the CRL will be built at the time of day when the CRL procedure is created. To use a "Build at"-specification, the update interval must be a whole multiple of days, that is, the hours and minutes of the update interval must be set to zero.

13. Select the CRL type to be issued. (See also section “About complete and indirect CRL” below.)

    1. Complete - Complete CRLs are issued and downloaded to the LDAP server using the period and validity settings. The CRL destination used is the one set in the distribution rule. The CRL covers all certificates issued by the CRL issuer or a CA with the same distinguished name as the CRL issuer. Any specified distribution point names will be included in the certificates as information about additional locations of the complete CRL.

    2. Partitioned - CRLs are issued to a specified distribution point and contain only the certificates revoked for specific reasons. The CRL covers only those certificates that include the specified distribution point in their CRLDistributionPoint (CRLDP) extension, see the Add DP to certificate field. The specified distribution point will be set in the issuingDistributionPoint (IDP) extension of the CRL.

       Note
       A CRL is partitioned when any of the fields, except indirectCRL, in the IDP extension is set.

       
       

14. Click on the + button associated with Distribution Point to open the CRL Distribution Point window.

15. In the CRL Distribution Point window, enter the target directory (for example, the LDAP URL) for the CRLs in the Location field. The LDAP URL must conform to the syntax specified in RFC 2225.

    1. For complete CRLs, the Location field is optional and can be used to indicate alternate distribution points. Any location specified will always be included in the CRLDP extension of the certificates issued by the CRL issuer or a CA with the same distinguished name as the CRL issuer. Example: if more than one distribution rule is selected, there should be one defining the default destination while the other distribution rules define alternate destinations. The Location field can be used to indicate one of the alternate CRL destinations on the end-user certificate.

    2. For partitioned CRLs, the Location field is mandatory. In this case the distribution point is the target for the partitioned or indirect CRL. Select using the Yes and No radio buttons if the distribution point location should be included in new certificates or not. Distribution point locations that will be included in new certificates will be presented starting with a '+' sign while those that will not be included will be presented starting with with a '-' sign.

16. Repeat steps 13 and 14 to define multiple CRL distribution points.

17. If Complete was selected in step 12 go to step 18. If Partitioned was selected, continue with step 17.

18. Select the revocation Reason Codes, associated with the partitioned CRLs, by checking one or more of the check boxes. The CRL only covers the specified reason codes, which are set in the onlySomeReasons field in the IDP extension of the CRL. If the CRL should cover all reason codes, this field should be empty, that is, no check boxes selected.

19. Select if Indirect CRL shall be used with the Yes or No radio buttons.

    1. No - The CRL covers only certificates issued by the CRL issuer (or a CA with the same distinguished name as the CRL issuer).

    2. Yes - The CRL includes revocation information for certificates issued by the CAs specified in the For certificates by field. The Add DP to certificate field is used to control if the CRL issuer should be included in certificates to be issued by these CAs. The indirectCRL flag in the IDP extension will be set. If the CRL is also complete, it will include revocation information for all certificates issued by the certificate issuers specified in the For certificates by field.

20. Make an appropriate selection for Add DP to certificate. The value is used to control the contents of the CRLDP extension when a certificate is issued. This value is not used when building the CRL. (See also section “Impact on certificate and CRL extensions” below.)

    The value specified has the following meaning:

    1. No - partitioned CRL
       The distribution point defined by this CRL procedure will NOT be included in the CRLDP extension of any certificate issued during the time the value is set to No. That is, the CRL will NOT include revocation information for certificates to be issued.

    2. No - indirect CRL
       The CRL issuer is NOT set in the CRLDP extension of certificates to be issued.

    3. Yes - partitioned CRL
       The distribution point locations defined by this CRL procedure that are marked to be included in new certificates will be included in the CRLDP extension of certificates to be issued. That is, the CRL will include revocation information for certificates to be issued.

    4. Yes - indirect CRL
       The CRL issuer is set in the cRLIssuer field in the CRLDP extension of certificates to be issued by any of the CAs defined in the For certificates by field.

1. If delta CRLs are to be issued, select Yes next to Issue Delta. No is the default.

2. Enter the following Delta CRL parameters:

   • Reference CRL - the value entered here represents the number of full CRLs you are required to backtrack to locate the reference CRL (for example, 1 represents the immediate previous full CRL).

   • Frequency - the number of delta CRLs that are issued between full CRL issues.

   • Margin - the margin is added to the period between delta CRL issues to ensure that a valid delta CRL is always available.

3. Set the Immediate issue parameter using the Yes and No options. If Yes is selected, any certificate revocation will cause an extra delta CRL to be issued.

4. If the delta CRL should have a different distribution point, then click the + button associated with the Distribution Point to open the CRL Distribution Point window. Otherwise go to step 7.

   Note
   Different distribution points for a delta CRL can only be set for a complete CRL, the field is unavailable for a partitioned CRL.

   
   

5. Enter the target directory (for example, the LDAP URL) for the delta CRL in the Location field.
6. Repeat steps 4 and 5 to define multiple CRL distribution points.
   

7. Set the Delta DP to certificate parameter using the Yes and No options.

   1. Select Yes if a freshest CRL extension, identifying this delta CRL, should be created when a certificate is issued. See also sections “Impact on Certificate and CRL Extensions” and “Freshest CRL”.

   2. Select No if the distribution point is not to be included in issued certificates.

8. In Distribution rules, click + to add a distribution rule. Add all relevant distribution rules.

9. Click OK and sign the request. See Sign tasks in Certificate Manager for more information.

Normally a CRL distribution point extension is added for all matching CRL procedures when a certificate is issued, see section “CRL distribution points”. The extension contains all distribution points locations that are marked to be included in new certificates.

An alternative to this is to add a CRL procedure to a certificate procedure. In this case, the associated CRL distribution point extension will only be included in those certificates that were issued with certificate procedure(s) that include the CRL procedure, that is, the CRL created by the CRL procedure will cover revocation status for a limited set of certificates. This can be used to create a CRL that covers revocation for certificates for a special purpose, for example, for OCSP responder certificates.

Only CRL procedures that would not be used by the normal matching rules (see section “CRL distribution points”) can be selected in a certificate procedure, that is, only CRL procedures with the following settings can be selected in a certificate procedure:

• CRL issuer matches the certificate issuer
• CRL type: Partitioned
• Add DP to certificate: No.

These parameters can not be changed as long as a CRL procedure is included in a certificate procedure. The references to a CRL procedure is shown in the Cross Reference section when viewing a CRL procedure.