When LDAP posting of certificate revocation lists (CRLs) is enabled, by default PKI services temporarily stores CRLs in its object store for posting to LDAP. However, PKI Services imposes a limit on the size of records in the object store of approximately 32KB, which limits the size of the CRLs stored there to approximately 32KB. As certificates are revoked or suspended within the scope of a CRL, the size of the CRL increases, and can exceed the limit. If a CRL exceeds the 32KB limit, PKI Services cannot post it to the LDAP directory.

To avoid this problem, you can configure PKI Services to store CRLs for posting to LDAP in the z/OS® UNIX file system instead of in the object store. When you do this, there is no limit on the size of CRLs.