Creating a distribution point ARL
You can choose to create a distribution point (DP) authority revocation
list (ARL) to support revocation status checking for certificate authority
(CA) certificates. You choose DP ARL processing by customizing the ARLDist
parameter
in the CertPolicy section of the pkiserv.conf
. If
you do not customize this parameter, PKI Services does not partition
the ARL and, therefore, applications must check the global ARL to
check the revocation status of a CA certificate.
- ARLDist=F (default)
- No distribution point ARL is created.
- ARLDist=T
- When distribution point CRLs are also enabled (when
CRLDistSize
is greater than zero), you can specify T (True) to create a distribution point ARL.
When DP ARL processing is enabled, PKI Services provides the following
support:
- Create a single distribution point (DP) for all CA certificates
- Build a CRLDistributionPoints extension containing
both the distinguished name and the URI format for the DP. Use the
same values specified (
CRLDistSize, CRLDistName, CRLDistURIn, CRLDistDirPath
) in thepkiserv.conf
file for the DP CRL processing.
DP ARL processing for CA certificates is similar to the DP CRL
processing for non-CA certificates with the following differences:
- There
is only one DP ARL. Its name is formed by the value that is specified
in the
CRLDistName
parameter in the CertPolicy section of thepkiserv.conf
, appended with 0 (zero). By appending a zero, the name of the DP ARL never conflicts with the name of a DP CRL. For example, ifCRLDistName=CRL
, then the DP ARL is namedCRL0
, and the DP CRLs are namedCRL1
,CRL2
, and so forth. - The DP ARL is a mirror copy of the global ARL. In other words, each revoked CA certificate appears in both the DP ARL and the global ARL. By contrast, a revoked non-CA certificate is listed in the DP CRL but not in the global CRL when DP CRL processing is enabled.
- The attribute string that is appended to the URI format for the
LDAP protocol is
?authorityRevocationList
. Otherwise, the CRLDistributionPoints extension of a CA certificate appears similar to that of a non-CA certificate. See Figure 1 for a sample CRLDistributionPoints extension for a CA certificate. This sample contains several different name formats. Notice the URI format at the end of the sample.