Enabling support for large CRLs
When LDAP posting of certificate revocation lists (CRLs) is enabled, by default PKI services temporarily stores CRLs in its object store for posting to LDAP. However, PKI Services imposes a limit on the size of records in the object store of approximately 32 KB, which limits the size of the CRLs stored there to approximately 32 KB. As certificates are revoked or suspended within the scope of a CRL, the size of the CRL increases, and can exceed the limit. If a CRL exceeds the 32 KB limit, PKI Services cannot post it to the LDAP directory.
To avoid this problem, you can configure PKI Services to store CRLs for posting to
LDAP in the z/OS®
UNIX file system instead of in the object store. The
distribution point CRLs and the distribution point ARLs are stored by using the same file name
format that is used when an http format CRLDistURIn is specified. However, when
large CRL support is enabled, the global CRLs and ARLs are also stored in the z/OS
UNIX file system by using file names that are formed by using
the CRLDistName value followed by _MCRL.crl or
_MARL.crl. For example, if using CRLDistName=CRL, the global CRL
file name is CRL_MCRL.crl. When you do this, there is no limit for the size of
CRLs.
Note: When EnableLargeCRLPosting is set to
T, it is recommended that the CRLEnhancements keyword is enabled,
by setting the value to T, to reduce the CPU and memory usage that is required for
building CRLs and posting CRLs to LDAP.