PKI Services can be used to create other subordinate certificate-authority certificates. Since revocation activity against these CA certificates is normally low, PKI Services by default does not partition authority revocation lists (ARLs). You can choose to create a distribution point ARL in a single partition for the purpose of checking the revocation status of CA certificates. (See Creating a distribution point ARL.) When you choose to create a DP ARL, your CA certificates will contain a CRLDistributionPoints extension.

When you do not choose to create a DP ARL (ARLDist=F), applications wishing to check the revocation status of a CA certificate must check the global ARL. In addition, when ARLDist=F, CA certificates do not contain a CRLDistributionPoints extension, although they are treated as if they had the extension when determining the partitioning of the global CRL. For instance, with ARLDist=F and CRLDistSize=10, if you issue 10 CA certificates plus one non-CA certificate, the non-CA certificate information would be published to the second distribution point CRL. (The first DP CRL would remain empty.)