Creating a distribution point ARL
You can choose to create a distribution point (DP) authority revocation
list (ARL) to support revocation status checking for certificate authority
(CA) certificates. You choose DP ARL processing by customizing the
in the CertPolicy section of the
you do not customize this parameter, PKI Services does not partition
the ARL and, therefore, applications must check the global ARL to
check the revocation status of a CA certificate.
- ARLDist=F (default)
- No distribution point ARL is created.
- When distribution point CRLs are also enabled (when
CRLDistSizeis greater than zero), you can specify T (True) to create a distribution point ARL.
- Create a single distribution point (DP) for all CA certificates
- Build a CRLDistributionPoints extension containing
both the distinguished name and the URI format for the DP. Use the
same values specified (
CRLDistSize, CRLDistName, CRLDistURIn, CRLDistDirPath) in the
pkiserv.conffile for the DP CRL processing.
is only one DP ARL. Its name is formed by the value that is specified
CRLDistNameparameter in the CertPolicy section of the
pkiserv.conf, appended with 0 (zero). By appending a zero, the name of the DP ARL never conflicts with the name of a DP CRL. For example, if
CRLDistName=CRL, then the DP ARL is named
CRL0, and the DP CRLs are named
CRL2, and so forth.
- The DP ARL is a mirror copy of the global ARL. In other words, each revoked CA certificate appears in both the DP ARL and the global ARL. By contrast, a revoked non-CA certificate is listed in the DP CRL but not in the global CRL when DP CRL processing is enabled.
- The attribute string that is appended to the URI format for the
LDAP protocol is
?authorityRevocationList. Otherwise, the CRLDistributionPoints extension of a CA certificate appears similar to that of a non-CA certificate. See Figure 1 for a sample CRLDistributionPoints extension for a CA certificate. This sample contains several different name formats. Notice the URI format at the end of the sample.