Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

This article describes how to create a Certificate Revocation List (CRL) procedure that defines the parameters to be used when issuing CRLs within Smart ID Certificate Manager. This task is done in the Administrator's workbench (AWB) in Certificate Manager.

Prerequisites

 Prerequisites

The following prerequisites apply:

  • Two administration officers must sign the request.
  • Both officers must have the following roles:
    • Use AWB
    • Policy tasks
  • A connection to the CM host must have been established (see Connect to a Certificate Manager host).
  • The following information is required by the administration officer during the task:
    • The procedure name that will appear in the explorer bar
    • The name of the CRL issuer
    • The CRL format to be used
    • The distribution rules to be used
    • The CRL type and its relevant issuing time intervals

    • The distribution point information and delta CRL parameters if required

It is recommended that formats, which are not available, be generated before performing this task.

Step-by-step instruction

 Create CRL procedure

Clicking Save at any time during the creation of the CRL procedure, before clicking OK, will save the data and place the incomplete procedure definition in the CRL procedures sub-group.

To complete the creation of the CRL procedure at a later stage:

  • Highlight the procedure in the explorer bar.
  • Select Modify from the Edit menu, the toolbar, or the right-click shortcut menu.

To create a CRL procedure:

  1. In AWB, select New > CRL procedure.

  2. In the Create CRL Procedure Request dialog, enter the Procedure name that should appear in the CRL procedures sub-group in the explorer bar. This field is mandatory.

  3. Set the procedure State to Active or Closed as required.
  4. Select Domain and check Visible in subdomain, if applicable.
  5. Click the CRL issuer browse button and select the required CA. This field is mandatory.

  6. Click the CRL format browse button and select the required format. This field is mandatory.
  7. Once a format has been selected, you can customize the set of format definition fields and modules.
    1. At Format, click Advanced.

      1. A pop-up window will appear containing all fields and modules from the selected format file.

        • The modules are shown in the top section with their indexes in the right column (the indexes determine the execution order of the modules).

        • The format definition fields are shown in the bottom section with the values of the parameters in the right column. You can edit the values for the definition fields parameters and store them for this particular procedure.

          Here is an example with the certificate format rfc5280.

    2. To add new format definition fields or modules click Add Parameter or Add Module. For added fields and modules (that are not present in the format file) you can edit values in the left column and also remove the row with Remove Parameter or Remove Module.

    The new values will take precedence over the values in the format file, but the format file will not be affected by these changes.

  8. In Distribution rules, click + to add a distribution rule. Add all relevant distribution rules. This field is mandatory.

  9. Set the Immediate issue parameter using the Yes and No options. If Yes is selected, any certificate revocation will cause an extra CRL to be issued.

  10. Modify the Update interval, which means the time between successive full CRL issues.
    Select in turn the years, months, days, hours and minutes and adjust the amounts using the up and down arrows. The date and time units may also be entered manually.

  11. Modify the Margin. The margin is added to the update interval to ensure that a valid CRL is always available (for example, during download of the next CRL).
    Select in turn the years, months, days, hours and minutes and adjust the amounts using the up and down arrows. The date and time units may also be entered manually.

  12. If the CRL should be built at a specific time, add an hours and minutes specification in the Build at (hh:mm) field. Otherwise the CRL will be built at the time of day when the CRL procedure is created. To use a "Build at"-specification, the update interval must be a whole multiple of days, that is, the hours and minutes of the update interval must be set to zero.
  13. Select the CRL type to be issued. (See also section “About complete and indirect CRL” below.)

    1. Complete - Complete CRLs are issued and downloaded to the LDAP server using the period and validity settings. The CRL destination used is the one set in the distribution rule. The CRL covers all certificates issued by the CRL issuer or a CA with the same distinguished name as the CRL issuer. Any specified distribution point names will be included in the certificates as information about additional locations of the complete CRL.

    2. Partitioned - CRLs are issued to a specified distribution point and contain only the certificates revoked for specific reasons. The CRL covers only those certificates that include the specified distribution point in their CRLDistributionPoint (CRLDP) extension, see the Add DP to certificate field. The specified distribution point will be set in the issuingDistributionPoint (IDP) extension of the CRL.

      A CRL is partitioned when any of the fields, except indirectCRL, in the IDP extension is set.

  14. Click on the + button associated with Distribution Point to open the CRL Distribution Point window.
  15. In the CRL Distribution Point window, enter the target directory (for example, the LDAP URL) for the CRLs in the Location field. The LDAP URL must conform to the syntax specified in RFC 2225.

    1. For complete CRLs, the Location field is optional and can be used to indicate alternate distribution points. Any location specified will always be included in the CRLDP extension of the certificates issued by the CRL issuer or a CA with the same distinguished name as the CRL issuer. Example: if more than one distribution rule is selected, there should be one defining the default destination while the other distribution rules define alternate destinations. The Location field can be used to indicate one of the alternate CRL destinations on the end-user certificate.

    2. For partitioned CRLs, the Location field is mandatory. In this case the distribution point is the target for the partitioned or indirect CRL. Select using the Yes and No radio buttons if the distribution point location should be included in new certificates or not. Distribution point locations that will be included in new certificates will be presented starting with a '+' sign while those that will not be included will be presented starting with with a '-' sign.

  16. Repeat steps 13 and 14 to define multiple CRL distribution points.
  17. If Complete was selected in step 12 go to step 18. If Partitioned was selected, continue with step 17.

  18. Select the revocation Reason Codes, associated with the partitioned CRLs, by checking one or more of the check boxes. The CRL only covers the specified reason codes, which are set in the onlySomeReasons field in the IDP extension of the CRL. If the CRL should cover all reason codes, this field should be empty, that is, no check boxes selected.

  19. Select if Indirect CRL shall be used with the Yes or No radio buttons.

    1. No - The CRL covers only certificates issued by the CRL issuer (or a CA with the same distinguished name as the CRL issuer).

    2. Yes - The CRL includes revocation information for certificates issued by the CAs specified in the For certificates by field. The Add DP to certificate field is used to control if the CRL issuer should be included in certificates to be issued by these CAs. The indirectCRL flag in the IDP extension will be set. If the CRL is also complete, it will include revocation information for all certificates issued by the certificate issuers specified in the For certificates by field.

  20. Make an appropriate selection for Add DP to certificate. The value is used to control the contents of the CRLDP extension when a certificate is issued. This value is not used when building the CRL. (See also section “Impact on certificate and CRL extensions” below.)

    The value specified has the following meaning:

    1. No - partitioned CRL
      The distribution point defined by this CRL procedure will NOT be included in the CRLDP extension of any certificate issued during the time the value is set to No. That is, the CRL will NOT include revocation information for certificates to be issued.

    2. No - indirect CRL
      The CRL issuer is NOT set in the CRLDP extension of certificates to be issued.

    3. Yes - partitioned CRL
      The distribution point locations defined by this CRL procedure that are marked to be included in new certificates will be included in the CRLDP extension of certificates to be issued. That is, the CRL will include revocation information for certificates to be issued.

    4. Yes - indirect CRL
      The CRL issuer is set in the cRLIssuer field in the CRLDP extension of certificates to be issued by any of the CAs defined in the For certificates by field.

  • For a complete CRL, any locations specified in the Distribution Point field are always included in the CRLDP extension of certificates to be issued.
  • When CRL type is Complete and Indirect CRL is No, the field is unavailable and cannot be changed.
 Option: Configure delta CRL
  1. If delta CRLs are to be issued, select Yes next to Issue Delta. No is the default.
  2. Enter the following Delta CRL parameters:

    • Reference CRL - the value entered here represents the number of full CRLs you are required to backtrack to locate the reference CRL (for example, 1 represents the immediate previous full CRL).

    • Frequency - the number of delta CRLs that are issued between full CRL issues.

    • Margin - the margin is added to the period between delta CRL issues to ensure that a valid delta CRL is always available.

  3. Set the Immediate issue parameter using the Yes and No options. If Yes is selected, any certificate revocation will cause an extra delta CRL to be issued.

  4. If the delta CRL should have a different distribution point, then click the + button associated with the Distribution Point to open the CRL Distribution Point window. Otherwise go to step 7.

    Different distribution points for a delta CRL can only be set for a complete CRL, the field is unavailable for a partitioned CRL.

  5. Enter the target directory (for example, the LDAP URL) for the delta CRL in the Location field.
  6. Repeat steps 4 and 5 to define multiple CRL distribution points.
  7. Set the Delta DP to certificate parameter using the Yes and No options.

    1. Select Yes if a freshest CRL extension, identifying this delta CRL, should be created when a certificate is issued. See also sections “Impact on Certificate and CRL Extensions” and “Freshest CRL”.

    2. Select No if the distribution point is not to be included in issued certificates.

  8. In Distribution rules, click + to add a distribution rule. Add all relevant distribution rules.

  9. Click OK and sign the request. See Sign tasks in Certificate Manager for more information.

Theory

 About complete and indirect CRL

This figure illustrates which CRL combinations are possible to define in a CRL procedure.

A CRL procedure that specifies both Complete and Indirect CRL but with Add DP to certificate not selected, will produce a CRL that is not compatible with the X.509 or PKIX specifications.

Since the certificates do not contain any information about the CRL, the procedures defined in the X.509 or PKIX specifications cannot be used to verify that the CRL contains revocation information for the specified certificates. This is also the case if a Complete and Indirect CRL is specified to cover a CA that already has issued certificates, prior to the creation of the CRL procedure.

Therefore, applications that should use a Complete and Indirect CRL need additional information, provided by other means, to be able to verify that the CRL contains revocation information for the specified certificates.

 Partition CRL on distribution point

Normally a CRL distribution point extension is added for all matching CRL procedures when a certificate is issued, see section “CRL distribution points”. The extension contains all distribution points locations that are marked to be included in new certificates.

An alternative to this is to add a CRL procedure to a certificate procedure. In this case, the associated CRL distribution point extension will only be included in those certificates that were issued with certificate procedure(s) that include the CRL procedure, that is, the CRL created by the CRL procedure will cover revocation status for a limited set of certificates. This can be used to create a CRL that covers revocation for certificates for a special purpose, for example, for OCSP responder certificates.

Only CRL procedures that would not be used by the normal matching rules (see section “CRL distribution points) can be selected in a certificate procedure, that is, only CRL procedures with the following settings can be selected in a certificate procedure:

  • CRL issuer matches the certificate issuer
  • CRL type: Partitioned
  • Add DP to certificate: No.

These parameters can not be changed as long as a CRL procedure is included in a certificate procedure. The references to a CRL procedure is shown in the Cross Reference section when viewing a CRL procedure.

Impact on certificate and CRL extensions

A CRL procedure defines if the CRL distribution points (CRLDP) extension and freshest CRL extension in certificates and/or the issuing distribution point (IDP) extension in the CRL shall be created. For each CRL procedure an entry may be created in the CRLDP, freshest CRL or the IDP extensions.

 CRL distribution points

The CRL distribution points (CRLDP) extension identifies how CRL information is obtained for the certificate. When creating the CRLDP extension, all CRL procedures that are relevant for the certificate to be issued are used to create distribution points in the CRLDP extension.

When issuing a certificate, a CRL procedure will be used if

  • the certificate is issued by the CRL issuer, OR
  • the certificate is issued by a CA with the same subject distinguished name as the CRL issuer, OR
  • the certificate is issued by any of the certificate issuers specified in the For certificates by field for an indirect CRL.

For these CRL procedures, an entry in the CRLDP extension will be created if the CRL procedure is selected in the issuing certificate procedure, or if any of the following conditions are met in the CRL procedure:

CRLDP fieldCRL procedure conditions

distributionPoint

  1. CRL type: Complete and Distribution Point: specified, or
  2. CRL type: Partitioned and Add DP to certificate: Yes.
reasonsCRL type: Partitioned and Reason Codes: specified and Add DP to certificate: Yes
cRLIssuerIndirect CRL: Yes and Add DP to certificate: Yes
  • If CRL type: Complete, the CRLDP extension will contain all specified distribution point locations.
  • If CRL type: Partitioned, the CRLDP extension will only contain those distribution point locations specifically marked to be included in new certificates.
 Freshest CRL

The freshest CRL (also known as delta CRL distribution point) extension identifies how delta CRL information is obtained.

A CRL procedure that creates a CRLDP entry as specified above will also create a freshest CRL extension in a certificate if Issue Delta is set to Yes and Delta DP to certificate is set to Yes. The freshest CRL extension will have the same content as the CRLDP entry, except when a different distribution point is specified for the delta CRL.

Freshest CRL fieldCRL procedure conditions

All fields

Creates CRLDP entry and Issue Delta: Yes and Delta DP to certificate: Yes

distributionPoint

  1. CRL type: Complete and Delta CRL Distribution Point: specified, or
  2. same content as distributionPoint in CRLDP entry.
reasonsSame content as reasons in CRLDP entry.
cRLIssuerSame content as cRLIssuer in CRLDP entry.
 Issuing distribution point

The issuing distribution point is a critical CRL extension that identifies the CRL distribution point and scope for a particular CRL, and it indicates whether the CRL covers revocation for a limited set of reason codes. An IDP extension is created for CRLs that are specified as partitioned and/or indirect CRL in the CRL procedure.

IDP fieldCRL procedure conditions

distributionPoint

CRL type: Partitioned
onlyContainsUserCerts Not used
onlyContainsCACertsNot used
onlySomeReasonsCRL type: Partitioned and Reason Codes: specified
indirectCRLIndirect CRL: Yes

onlyContainsAttributeCerts

Not used
  • No labels