Customizing distribution point CRLs
If your PKI Services installation is very active, many certificates can be in the revoked state at any one time. Therefore, the certificate revocation list (CRL) can become quite large, causing considerable network traffic and overhead to an application wanting to process it. Publishing partial CRLs to multiple distribution point (DP) CRLs is a way of keeping your CRLs small.
Guideline: Consider using distribution point CRLs if you anticipate averaging more than 500 revoked non-expired certificates at any given time.
- CRLDistSize
- Specifies the maximum number of certificates to be managed by a single DP. This represents the number of entries in each DP CRL if all active certificates are revoked at once.
- CRLDistName
- Specifies the file name, or the constant portion of the leaf-node RDN, for the CRL distribution point.
You can choose to further customize your DP CRL processing to build the URI format name for the distribution point in the CRLDistributionPoints extension of each certificate. This allows your certificate validation programs to dynamically retrieve a CRL without being preconfigured with LDAP bind information. However, because bind credentials cannot be added to DP CRLs with URI format names, anonymous access is used to retrieve the CRL.
- CRLDistURIn
- Specifies the name for the DP CRL in the form of a URI that adds the protocol type and the server domain name.
- CRLDistDirPath
- Specifies the full path for the file system directory where PKI Services saves each DP CRL.
You can also choose to have PKI Services create a CRLDistributionPoints extension for each CA certificate in addition to non-CA certificates. You choose this by customizing the ARLDist parameter in the CertPolicy section of the pkiserv.conf. This creates a distribution-point authority-revocation list (DP ARL) for your CA certificates. See Creating a distribution point ARL for details.