Steps for customizing distribution point CRLs

Before you begin

Be aware of the following restrictions:
  • If running PKI Services in a sysplex, all instances of PKI Services must specify the same values for the parameters CRLDistURIn (for all values of n), CRLDistDirPath, CRLDistSize, and CRLDistName.
  • Once a value for CRLDistName has been set, it must not be changed or removed from the configuration file.
  • Once a nonzero value has been set for CRLDistSize, it must not be changed back to zero or removed from the configuration file. Adjusting the value is acceptable.

Procedure

Perform the following steps to customize distribution point CRLs:
  1. Determine your value for the CRLDistSize parameter based on the following algorithm. The default value specified in pkiserv.conf is 500. Your value should be based on your wanted average number of CRL entries per distribution point and your estimated revoked-certificate percentage as expressed by the following formula:
    CRLDistSize = E / P
    where:
    E
    is the wanted average number of CRL entries per distribution point.
    P
    is the estimated revoked-certificate percentage.
    Example: If you estimate that 10% of the non-expired certificates are in the revoked state at any time and you want the CRLs to average about 100 entries each, then:
    CRLDistSize = 100 / 0.10 = 1000
    The CRLDistSize in bytes can be roughly estimated to be 500 + (25 × number of CRL entries). Using the example above, the average CRL size in bytes would be 500 + (25 × 100) = 3000 bytes.
    Note: The longer the CRL, the longer it takes to process it.

    Restriction: When CRLs are posted to LDAP, a single CRL cannot exceed approximately 32 K bytes in length, unless you have enabled support for large CRLs. For more information, see Enabling support for large CRLs. Therefore, if a CRL is posted to LDAP and you have not enabled support for large CRLs, you must limit the length of the CRL.

    Rules:
    1. The value of CRLDistSize is a numeric value from 0 - 2147483647.
    2. A nonzero value indicates that distribution point (DP) CRLs are created.
    3. A value of zero (the default) indicates that DP CRL processing is not performed.
    Guideline: If you anticipate a low revocation rate for active certificates, use a value of 0. Your installation might not need to use distribution point CRLs and the global CRL might be sufficient.

    _______________________________________________________________

  2. If necessary, update the value of CRLDistSize in the CertPolicy section of pkiserv.conf to the customized value you determined in Step 1.

    If you selected the 0 value for CRLDistSize, complete this step and then continue with Step 12.

    _______________________________________________________________

  3. Determine your value for the CRLDistName parameter. The default value is CRL. The common name portion of the distinguished name of each DP CRL is formed by appending the DP number to this value. The CA's name is also appended. (See How DP CRLs are published.)
    Example:
    CN=CRL3,OU=My Company Certificate Authority,O=My Company,C=US
    Restrictions:
    1. The value of CRLDistName must contain only alphanumeric characters.
    2. The length of the entire DP distinguished name should not exceed 255 bytes. (DP distinguished names that are longer appear truncated in the PKIDPUBR audit record.)

    _______________________________________________________________

  4. If necessary, update the value of CRLDistName in the CertPolicy section of pkiserv.conf to your customized value.

    _______________________________________________________________

  5. Optionally, determine your value for the CRLDistURIn parameter. Specifying this value allows PKI Services to build a URI-formatted name for the DP CRL in each CRLDistributionPoints extension, if you also specified a CRLDistSize value greater than 1 in Step 2. The URI format name is built in addition to the LDAP distinguished name of the DP CRL in each CRLDistributionPoints extension. If you do not specify a CRLDistURI value, the URI format name is not created. See Specifying the URI format.

    You can specify multiple entries for the CRLDistURIn parameter, using the parameters CRLDistURI1, CRLDistURI2, and so forth.

    _______________________________________________________________

  6. If necessary, update the value of CRLDistURIn in the CertPolicy section of pkiserv.conf to your customized value or values.

    _______________________________________________________________

  7. If all the protocol definitions for the URIs you specified with CRLDistURIn in Step 5 are the LDAP protocol, decide whether you want to enable support for large CRLs. If you choose to enable large CRLs, follow the instructions in Enabling support for large CRLs. Then skip to Step 10.

    _______________________________________________________________

  8. If a protocol definition for the URI you specified with CRLDistURIn in Step 5 is HTTP protocol, determine your value for the CRLDistDirPath parameter.

    The CRLDistDirPath parameter specifies the full path of the var directory where PKI Services saves each DP CRL. The default value is /var/pkiserv/. The value can be specified with or without the trailing slash. See Determining CRLDistDirPath.

    _______________________________________________________________

  9. If necessary, update the value of CRLDistDirPath in the CertPolicy section of pkiserv.conf to your customized value.

    _______________________________________________________________

  10. Optionally, determine your value for the ARLDist parameter. Specifying this parameter creates a distribution point ARL so you can check revocation status for CA certificates without accessing the global ARL. See Creating a distribution point ARL.

    _______________________________________________________________

  11. If necessary, update the value of ARLDist in the CertPolicy section of pkiserv.conf to your customized value.

    _______________________________________________________________

  12. If you made any updates to pkiserv.conf, stop and restart PKI Services to make your changes effective.

    _______________________________________________________________

When you have finished: If you selected a CRLDistSize value greater than zero, you have set up distribution point CRLs. Now, created certificates contain the CRLDistributionPoints extension indicating the location of the DP CRL that is checked for revocation information. If you specified a URI-formatted name with CRLDistURIn, now your CRLDistributionPoints extensions also contains a URI name for each DP CRL, containing the protocol type and server domain name. If you enabled the ARLDist option, you have set up a distribution point ARL for CA certificates.
Parent topic: Customizing distribution point CRLs