How DP CRLs are partitioned

The partitioning of the overall CRL into partial CRLs is based on certificate serial number and the value of CRLDistSize in pkiserv.conf. For example, if CRLDistSize is 100 and CRLDistName is ABC, then certificates with serial numbers 1100 appear on DP ABC1; 101200 on DP ABC2, and so on. PKI Services dynamically creates DP CRLs as needed as a part of certificate issuance. Existing DP CRLs are refreshed along with the global CRL during CRL interval processing.

As certificates expire, they are no longer eligible for revocation and do not appear on any CRL. Therefore, over time, each distribution point becomes inactive. PKI Services automatically retires DP CRLs that become inactive by no longer publishing their CRLs. However, retired DP CRLs previously published to LDAP remain in LDAP. PKI Services makes no attempt to delete these.

Even when using distribution point CRLs, the single non-DP CRL (global CRL) is still created. Revoked certificates containing the CRLDistributionPoints extension appears only on the appropriate DP CRL, not the global CRL.

Parent topic: How distribution point CRLs/ARLs work