[AIX, Linux, Windows]

Basic and standard CRL policies

The basic and standard CRL policies support the same fields and extensions.

The supported fields for these policies are as follows:
  • OuterSigAlgID 1
  • Signature 2
  • Version
  • InnerSigAlgID 3
  • Issuer
  • ThisUpdate
  • NextUpdate
  • RevokedCertificate
    • UserCertificate
    • RevocationDate

There are no supported CRLEntry extensions.

The supported CRL extensions for these policies are as follows. Where an entry is marked as "not supported", IBM® MQ does not attempt to process extensions containing a field of that specific type, but does process other types of the same extension.
  • AuthorityKeyID
  • IssuerAltName
  • CRLNumber
  • IssuingDistributionPoint
    • DistributionPoint
    • DistributionPointName
      • FullName (X.500 Name and LDAP Format URI only)
      • NameRelativeToCRLIssuer (not supported)
    • Reasons (ignored)
    • CRLIssuer
    • OnlyContainsUserCerts (not supported)
    • OnlyContainsCACerts (not supported)
    • OnlySomeReasons (not supported)
    • IndirectCRL 4 (rejected)
1 This field is called signatureAlgorithm in RFC 5280.
2 This field is called signatureValue in RFC 5280.
3 This field is called signature in RFC 5280.
4 IndirectCRL extensions will result in CRL validation failing. IndirectCRL extensions must not be used because they cause identified certificates to not be rejected.