Creating a distribution point ARL

You can choose to create a distribution point (DP) authority revocation list (ARL) to support revocation status checking for certificate authority (CA) certificates. You choose DP ARL processing by customizing the ARLDist parameter in the CertPolicy section of the pkiserv.conf. If you do not customize this parameter, PKI Services does not partition the ARL and, therefore, applications must check the global ARL to check the revocation status of a CA certificate.

ARLDist=F (default)
No distribution point ARL is created.
ARLDist=T
When distribution point CRLs are also enabled (when CRLDistSize is greater than zero), you can specify T (True) to create a distribution point ARL.
When DP ARL processing is enabled, PKI Services provides the following support:
  • Create a single distribution point (DP) for all CA certificates
  • Build a CRLDistributionPoints extension containing both the distinguished name and the URI format for the DP. Use the same values specified (CRLDistSize, CRLDistName, CRLDistURIn, CRLDistDirPath) in the pkiserv.conf file for the DP CRL processing.
DP ARL processing for CA certificates is similar to the DP CRL processing for non-CA certificates with the following differences:
  • There is only one DP ARL. Its name is formed by the value that is specified in the CRLDistName parameter in the CertPolicy section of the pkiserv.conf, appended with 0 (zero). By appending a zero, the name of the DP ARL never conflicts with the name of a DP CRL. For example, if CRLDistName=CRL, then the DP ARL is named CRL0, and the DP CRLs are named CRL1, CRL2, and so forth.
  • The DP ARL is a mirror copy of the global ARL. In other words, each revoked CA certificate appears in both the DP ARL and the global ARL. By contrast, a revoked non-CA certificate is listed in the DP CRL but not in the global CRL when DP CRL processing is enabled.
  • The attribute string that is appended to the URI format for the LDAP protocol is ?authorityRevocationList. Otherwise, the CRLDistributionPoints extension of a CA certificate appears similar to that of a non-CA certificate. See Figure 1 for a sample CRLDistributionPoints extension for a CA certificate. This sample contains several different name formats. Notice the URI format at the end of the sample.
Figure 1. A sample CRLDistributionPoints extension for a certificate authority (CA) certificate
SEQUENCE {
   OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
   OCTET STRING, encapsulates {
       SEQUENCE {
          SEQUENCE {
              [0] {
                [0] {
                  [4] {
                    SEQUENCE {
                      SET {
                        SEQUENCE {
                          OBJECT IDENTIFIER
                            countryName (2 5 4 6)
                          UTF8String (1997) 'US'
                          }
                      }
                      SET {
                        SEQUENCE {
                          OBJECT IDENTIFIER
                            organizationName (2 5 4 10)
                          UTF8String (1997) 'Mycompany'
                          }
                      }
                      SET {
                        SEQUENCE {
                          OBJECT IDENTIFIER
                            organizationalUnitName (2 5 4 11)
                          UTF8String (1997) 'Retail'
                          }
                      }
                      SET {
                        SEQUENCE {
                          OBJECT IDENTIFIER
                            commonName (2 5 4 3)
                          UTF8String (1997) 'CRL0'
                          }
                      }
                   }
                }
              }
          }
          SEQUENCE {
              [0] {
                [0] {
                  [6]
                  'http://crl.MyCompany.de/CRL0.crl'
                }
              }
          }
          SEQUENCE {
              [0] {
                [0] {
                  [6]

'ldap://ldap.MyCompany.de/CN=CRL0,OU=Retail,O=Mycompany,C=US?authorityRevocationList'
                }
              }
          }
       }
   }
 }