Basic and standard CRL policies
The basic and standard CRL policies support the same fields and extensions.
The supported fields for these policies are as follows:
There are no supported CRLEntry extensions.
The supported CRL extensions for these policies are as
follows. Where an entry is marked as "not supported", WebSphere® MQ does not attempt to process
extensions containing a field of that specific type, but does process
other types of the same extension.
- AuthorityKeyID
- IssuerAltName
- CRLNumber
- IssuingDistributionPoint
- DistributionPoint
- DistributionPointName
- FullName (X.500 Name and LDAP Format URI only)
- NameRelativeToCRLIssuer (not supported)
- Reasons (ignored)
- CRLIssuer
- OnlyContainsUserCerts (not supported)
- OnlyContainsCACerts (not supported)
- OnlySomeReasons (not supported)
- IndirectCRL4 (rejected)
1 This field is called signatureAlgorithm in
RFC 5280.
2 This field is called signatureValue in RFC
5280.
3 This field is called signature in RFC
5280.
4 IndirectCRL extensions will result in CRL validation
failing. IndirectCRL extensions must not be used because they cause
identified certificates to not be rejected.