Specifying the URI format
When you choose to use distribution points for CRL and ARL processing, PKI Services updates the CRLDistributionPoints extension with the distinguished name for the LDAP entry where the distribution point is posted. You can choose to add another name to the extension in the URI format which contains the protocol type and the server domain name in addition to the distinguished name. With the URI format, the location of the distribution point is self-contained in the CRLDistributionPoints extension.
The URI format contains the following information:
- The protocol type (LDAP or HTTP).
- The server domain name.
- If the protocol is LDAP:
- The distinguished name of the distribution point.
- For non-CA certificates, the attribute string ?certificateRevocationList.
- For CA certificates, the attribute string ?authorityRevocationList.
- If the protocol is HTTP, the virtual or real path name, ending with the file name - formed from the common name portion of the distinguished name of the distribution point with the .crl extension - where the distribution point CRL is stored.
ldap://ldap.bankxyz.com:389/CN=CRLlist1,OU=Bank XYZ
Authority,O=Bank XYZ,C=US?certificateRevocationList
http://www.bankxyz.com/PKIServ/cacerts/CRLlist1.crlNote: This is an example of an HTTP protocol URI using a
virtual path name. When using virtual path names in an HTTP URI, a
Pass statement is required in the HTTP configuration file to map the
virtual path name to a real path name. See Determining CRLDistDirPath for additional information.
Restriction: Special
characters, such as spaces, quotation marks, and square brackets are
not considered safe to use in URLs and should be encoded using
the appropriate escape sequence. For details, see RFC 1738: Uniform Resource Locators
(URL).