Professional Documents
Culture Documents
Mothly Report Gayathri (06!02!10-02)
Mothly Report Gayathri (06!02!10-02)
06-02-2023 EL
A certificate revocation list (CRL) provides a list of certificates that have been revoked. A
client application, such as a web browser, can use a CRL to check a server’s authenticity. A
server application, such as Apache or OpenVPN, can use a CRL to deny access to clients that
are no longer trusted. Publish the CRL at a publicly accessible location
(eg, http://example.com/intermediate.crl.pem). By default, the CRL expires after 30 days.
This is controlled by the default_crl_days option in the [ CA_default ] section.
When a CA signs a certificate, it will normally encode the CRL location into the
certificate. Add crlDistributionPoints to the appropriate sections. In our case, add it to
the [ server_cert ] section.
CRLDist=T
1) CRLDistSize
Specifies the maximum number of certificates to be managed by a single DP(Our formula can
be placed here). Determine your value for the CRLDistSize parameter based on the following
algorithm. The default value specified in pkiserv.conf is 500. Your value should be based on
your desired average number of CRL entries per distribution point and your estimated
revoked-certificate percentage. When CRLs are posted to LDAP, a single CRL cannot exceed
approximately 32K bytes in length, unless you have enabled support for large CRLs. For
more information, see Enabling support for large CRLs. Hence, we are going for http.
2) CRLDistName
Determine your value for the CRLDistName parameter. The default value is CRL. The
common name portion of the distinguished name of each DP CRL is formed by
appending the DP number to this value. The CA's name is also appended. The length of
the entire DP distinguished name should not exceed 255 bytes. Update the value of
CRLDistName in the CertPolicy section of pkiserv.conf to your customized value
CRLDistName=CRL, then the DP CRL is named CRL0, and the DP CRLs are
named CRL1, CRL2, and so forth.
3) CRLDistURIn
Specifying this value will allow PKI Services to build a URI-formatted name for the DP CRL
in each CRLDistributionPoints extension, if you also specified a CRLDistSize value greater
than 1. You can specify multiple entries for the CRLDistURIn parameter, using the
parameters CRLDistURI1, CRLDistURI2, and so forth. The URI format will not be created if
you specify CRLDistURIn with an n value of 0. CRLDistName=CRL, then the DP CRL is
named CRL0, and the DP CRLs are named CRL1, CRL2, and so forth.( RFC 1738)
CRLDistURI1 = http://www.bankxyz.com/Employees/crls/
This value is ignored if you did not specify CRLDistSize with a value greater than zero.
When using virtual pathnames in an HTTP URI, a Pass statement will be required in the
HTTP configuration file to map the virtual pathname to a real pathname. CRLDistURIn in
the CertPolicy section of pkiserv.conf to your customized value or values.
4) CRLDistDirPath
The CRLDistDirPath parameter specifies the full path of the var directory where PKI
Services will save each DP CRL. The default value is /var/pkiserv/.
CRLDistDirPath = /var/pkiserv/Employees/
When using virtual pathnames in an HTTP URI, a Pass statement will be required in the
HTTP configuration file to map the virtual pathname to a real pathname. We are generating
the directory as “Employees”. Hence, the pass statement is
The structure contains a set of attributes, each consisting of an object identifier (OID), which
identifies the attribute type, and an associated value. In this case, the attributes include
countryName, organizationName, organizationalUnitName, and commonName. The values
associated with these attributes provide information about the entity responsible for the CRL,
including the country, organization, organizational unit, and common name of the entity.
OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)" specifies an object identifier
(OID) named "cRLDistributionPoints" with the value "2 5 29 31".
SEQUENCE {
OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
OCTET STRING, encapsulates {
SEQUENCE {
SEQUENCE {
[0] {
[0] {
[4] {
SEQUENCE {
SET {
SEQUENCE {
OBJECT IDENTIFIER
countryName (2 5 4 6)
UTF8String (1997) 'US'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER
organizationName (2 5 4 10)
UTF8String (1997) 'Mycompany'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER
organizationalUnitName (2 5 4 11)
UTF8String (1997) 'Retail'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER
commonName (2 5 4 3)
UTF8String (1997) 'CRL0'
}
}
}
}
}
}
SEQUENCE {
[0] {
[0] {
[6]
'http://crl.MyCompany.de/CRL0.crl'
}
}
}
SEQUENCE {
[0] {
[0] {
[6]
'ldap://ldap.MyCompany.de/CN=CRL0,OU=Retail,O=Mycompany,C=US?
authorityRevocationList'
}
}
}
}
}
}
This is an example of a Certificate Revocation List (CRL) Distribution Point in ASN.1
encoding format.
'http://crl.MyCompany.de/CRL0.crl'
'ldap://ldap.MyCompany.de/CN=CRL0,OU=Retail,O=Mycompany,C=US?
authorityRevocationList'
The CRL issuer is identified by the following information:
countryName: US
organizationName: Mycompany
organizationalUnitName: Retail
commonName: CRL0
The distribution points provide the URLs where a client can obtain the most current version
of the CRL.
The OBJECT IDENTIFIER line indicates that this is an object identifier, which is a unique
identifier used to specify a particular object, in this case, the "cRLDistributionPoints".
The OCTET STRING line indicates that the following data is encoded as an octet string,
which is a sequence of 8-bit values that can be used to encode binary data.
The SEQUENCE structure inside the octet string encapsulates further information, in this
case, a sequence of sequences that describe the distribution point.
The [0] and [4] indicate that this is a context-specific tag, meaning that its interpretation is
dependent on the context in which it is used.
The OBJECT IDENTIFIER line with the value countryName specifies another object
identifier, this time for the country name, and the UTF8String line with the value 'US' is a
string encoded using the UTF-8 character set, indicating the country name is "US".