Example of Multiple CRL Definitions

The following example applies if multiple CRL definitions are required as in the case where directoryName distribution points are spread across multiple directories that are not resolved automatically through referrals. For example, a CA with issuer name: “ou=CA, dc=acme, dc=com”, may have two directoryName distribution points:

• DN=“cn=DP1, ou=CA, dc=acme, dc=com” Host=ldap1
• DN=“cn=DP2, ou=CA, dc=acme, dc=com” Host=ldap2

To support this situation, set up two CRL definitions:

• Name=“DP1-CrlDef” Host=“ldap1”
• Name=“DP2-CrlDef” Host=“ldap2”

Then set the CrlDistributionPoints properties as follows:

• Ignore CRL Distribution Point: false
• Referenced CRL Definition: {distributionPoint.cn}-CrlDef

At runtime, Secure External Authentication Server resolves the variable “Referenced CRL Definition” to DP1-CrlDef or DP2-CrlDef, depending on the CN extracted from the distribution point DN in the extension, which allows Secure External Authentication Server to access the correct directory hosting the distribution point CRL. The example described below allows the use of the abbreviated distributionPoint variable.