Specifying the URI format

When you choose to use distribution points for CRL and ARL processing, PKI Services updates the CRLDistributionPoints extension with the distinguished name for the LDAP entry where the distribution point is posted. You can choose to add another name to the extension in the URI format which contains the protocol type and the server domain name in addition to the distinguished name. With the URI format, the location of the distribution point is self-contained in the CRLDistributionPoints extension.

The URI format contains the following information:

the protocol type (LDAP or HTTP)
the server domain name
if the protocol is LDAP:
- the distinguished name of the distribution point
- for non-CA certificates, the attribute string ?certificateRevocationList
- for CA certificates, the attribute string ?authorityRevocationList
if the protocol is HTTP, the virtual or real pathname, ending with the file name - formed from the common name portion of the distinguished name of the distribution point with the .crl extension - where the distribution point CRL is stored.

Examples:

ldap://ldap.bankxyz.com:389/CN=CRLlist1,OU=Bank XYZ 
       Authority,O=Bank XYZ,C=US?certificateRevocationList

http://www.bankxyz.com/PKIServ/cacerts/CRLlist1.crl

Note: This is an example of an HTTP protocol URI using a virtual pathname. When using virtual pathnames in an HTTP URI, a Pass statement will be required in the HTTP configuration file to map the virtual pathname to a real pathname. See Determining CRLDistDirPath for additional information.

Restriction: Special characters, such as spaces, quotation marks, and square brackets are not considered safe to use in URLs and should be encoded using the appropriate escape sequence. For details, see RFC 1738: Uniform Resource Locators (URL).