Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
What about CA certificates? z/OS Cryptographic Services PKI Services Guide and Reference SA23-2286-00 |
|
PKI Services can be used to create other subordinate certificate-authority certificates. Since revocation activity against these CA certificates is normally low, PKI Services by default does not partition authority revocation lists (ARLs). You can choose to create a distribution point ARL in a single partition for the purpose of checking the revocation status of CA certificates. (See Creating a distribution point ARL.) When you choose to create a DP ARL, your CA certificates will contain a CRLDistributionPoints extension. When you do not choose to create a DP ARL (ARLDist=F), applications wishing to check the revocation status of a CA certificate must check the global ARL. In addition, when ARLDist=F, CA certificates do not contain a CRLDistributionPoints extension, although they are treated as if they had the extension when determining the partitioning of the global CRL. For instance, with ARLDist=F and CRLDistSize=10, if you issue 10 CA certificates plus one non-CA certificate, the non-CA certificate information would be published to the second distribution point CRL. (The first DP CRL would remain empty.) |
Copyright IBM Corporation 1990, 2014
|