Example of Distribution Point Variables

This example illustrates the need to use variables when the crlDistributionPoints data in the certificate do not represent the true address of the distribution point server, for instance, due to an address change. For example, a CA may have issued certificates with either of the following URI distribution points:

• ldap://ldap1/cn=DP1,ou=CA,dc=acme,dc=com?certificate
  RevocationList?base?objectClass=cRLDistributionPoint
• ldap://ldap2/cn=DP2,ou=CA,dc=acme,dc=com?certificate
  RevocationList?base?objectClass=cRLDistributionPoint

Due to a network reconfiguration, or some other reason, you may need to address these servers with their full DNS name, ldap1.acme.com or ldap2.acme.com. To support this, you can set up a single global CRL definition with the following URL specified:

ldap://{distributionPoint.host}.acme.com{distributionPoint.path}?{distributionPoint.query}

Additionally, set the CrlDistributionPoints property “Ignore CRL Distribution Point” to true to prevent access to the original, unreachable URI address specified for the LDAP servers in the distribution point URI.

At runtime, Secure External Authentication Server checks the global CRL and resolves the URL to one of the following, depending on the distribution point data:

• ldap://ldap1.acme.com/cn=DP1,ou=CA,dc=acme,dc=com?certificate
  RevocationList?base?objectClass=cRLDistributionPoint
• ldap://ldap2.acme.com/cn=DP2,ou=CA,dc=acme,dc=com?certificate
  RevocationList?base?objectClass=cRLDistributionPoint