Using the createcrls utility

Purpose

The createcrls program initiates the task that creates certificate revocation lists (CRLs). Later, depending on how PKI Services is configured, the PKI Services daemon either posts the CRLs to an LDAP server (for LDAP) or saves them in the HFS (for the URI format). (The PostInterval parameter in the LDAP section of the configuration file determines when the posting to LDAP occurs.) You can use this program to create a CRL immediately, instead of waiting for PKI Services to do it automatically based on the TimeBetweenCRLs parameter in the configuration file.

Path setup

Update your PATH, LIBPATH, and NLSPATH environment variables with the appropriate pkiserv directory before you run createcrls. (Note that you are updating the environment variables for the user running the utility, not updating values in the PKI Services environment variables file, pkiserv.envars.) Once you have updated these variables, you can run createcrls from the UNIX command line.

Variable name	You must add …
PATH	`/install-dir/pkiserv/bin`
LIBPATH	`/install-dir/pkiserv/lib`
NLSPATH	`/install-dir/pkiserv/lib/nls/msg/%L/%N`

The default directory for install-dir is /usr/lpp.

Format

createcrls [-D CA-Domain-name]

Parameters

-D CA-Domain-name: Specifies the 1-8 character name of the CA domain for which CRLs are to be created. The name can be entered using uppercase or lowercase letters. This option is required only if PKI Services is running with multiple CA domains.

Examples

To create a CRL for the domain mydomain and post the CRL to LDAP, enter the command:

createcrls –D mydomain

To create a CRL and post it to LDAP if you are not running PKI Services with multiple CA domains, enter the command:

createcrls