Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Customizing distribution point CRLs z/OS Cryptographic Services PKI Services Guide and Reference SA23-2286-00 |
|
If your PKI Services installation is very active, many certificates can be in the revoked state at any one time. Therefore, the certificate revocation list (CRL) can become quite large, causing considerable network traffic and overhead to an application wishing to process it. Publishing partial CRLs to multiple distribution point (DP) CRLs is a way of keeping your CRLs small. Guideline: Consider using distribution point CRLs if you anticipate averaging more than 500 revoked non-expired certificates at any given time. You begin using distribution point CRLs when you accept the defaults
settings contained in PKI Services configuration
file (pkiserv.conf).
You can customize those settings by specifying the number of certificates
per DP CRL and by specifying the name of the DP CRL using the following
two parameters in the CertPolicy section of the pkiserv.conf:
You can choose to further customize your DP CRL processing to build the URI format name for the distribution point in the CRLDistributionPoints extension of each certificate. This allows your certificate validation programs to dynamically retrieve a CRL without being preconfigured with LDAP bind information. However, because bind credentials cannot be added to DP CRLs with URI format names, anonymous access is used to retrieve the CRL. The URI format name is built in addition to the LDAP distinguished
name of the DP CRL that is always added when CRLDistSize is
greater than zero. You can add the URI format name by customizing
the following two parameters in the CertPolicy section of the pkiserv.conf:
You can also choose to have PKI Services create a CRLDistributionPoints extension for each CA certificate in addition to non-CA certificates. You choose this by customizing the ARLDist parameter in the CertPolicy section of the pkiserv.conf. This creates a distribution-point authority-revocation list (DP ARL) for your CA certificates. See Creating a distribution point ARL for details. |
Copyright IBM Corporation 1990, 2014
|