Steps for customizing distribution point CRLs
Before you begin
Be aware of the following restrictions:- If running PKI Services in a sysplex, all instances of PKI Services must specify the same values for the parameters CRLDistURIn (for all values of n), CRLDistDirPath, CRLDistSize, and CRLDistName.
- Once a value for CRLDistName has been set, it must not be changed or removed from the configuration file.
- Once a nonzero value has been set for CRLDistSize, it must not be changed back to zero or removed from the configuration file. Adjusting the value is acceptable.
Procedure
- Determine your value for the CRLDistSize parameter based on the following algorithm. The default value specified
in pkiserv.conf is 500. Your value should be
based on your wanted average number of CRL entries per distribution
point and your estimated revoked-certificate percentage as expressed
by the following formula:
where:CRLDistSize = E / P
- E
- is the wanted average number of CRL entries per distribution point.
- P
- is the estimated revoked-certificate percentage.
Example: If you estimate that 10% of the non-expired certificates are in the revoked state at any time and you want the CRLs to average about 100 entries each, then:
The CRLDistSize in bytes can be roughly estimated to be 500 + (25 × number of CRL entries). Using the example above, the average CRL size in bytes would be 500 + (25 × 100) = 3000 bytes.CRLDistSize = 100 / 0.10 = 1000
Note: The longer the CRL, the longer it takes to process it.Restriction: When CRLs are posted to LDAP, a single CRL cannot exceed approximately 32 K bytes in length, unless you have enabled support for large CRLs. For more information, see Enabling support for large CRLs. Therefore, if a CRL is posted to LDAP and you have not enabled support for large CRLs, you must limit the length of the CRL.
Rules:- The value of CRLDistSize is a numeric value from 0 - 2147483647.
- A nonzero value indicates that distribution point (DP) CRLs are created.
- A value of zero (the default) indicates that DP CRL processing is not performed.
_______________________________________________________________
- If necessary, update the value of CRLDistSize in the CertPolicy section of pkiserv.conf to the customized value you determined in Step 1.
If you selected the 0 value for CRLDistSize, complete this step and then continue with Step 12.
_______________________________________________________________
- Determine your value for the CRLDistName parameter.
The default value is CRL. The common name portion
of the distinguished name of each DP CRL is formed by appending the
DP number to this value. The CA's name is also appended. (See How DP CRLs are published.)Example:
Restrictions:CN=CRL3,OU=My Company Certificate Authority,O=My Company,C=US
- The value of CRLDistName must contain only alphanumeric characters.
- The length of the entire DP distinguished name should not exceed 255 bytes. (DP distinguished names that are longer appear truncated in the PKIDPUBR audit record.)
_______________________________________________________________
- If necessary, update the value of CRLDistName in the CertPolicy section of pkiserv.conf to your customized value.
_______________________________________________________________
- Optionally, determine your value for the CRLDistURIn parameter. Specifying this value allows
PKI Services to build a URI-formatted name for the DP CRL in each
CRLDistributionPoints extension, if you also specified a CRLDistSize value greater than 1 in Step 2. The URI format name is built in addition to the LDAP
distinguished name of the DP CRL in each CRLDistributionPoints extension.
If you do not specify a CRLDistURI value, the URI
format name is not created. See Specifying the URI format.
You can specify multiple entries for the CRLDistURIn parameter, using the parameters CRLDistURI1, CRLDistURI2, and so forth.
_______________________________________________________________
- If necessary, update the value of CRLDistURIn in the CertPolicy section of pkiserv.conf to your customized value or values.
_______________________________________________________________
- If all the protocol definitions for the URIs you specified with CRLDistURIn in Step 5 are the LDAP protocol, decide whether you want to enable
support for large CRLs. If you choose to enable large CRLs, follow
the instructions in Enabling support for large CRLs. Then skip
to Step 10.
_______________________________________________________________
- If a protocol definition for the URI you specified with CRLDistURIn in Step 5 is HTTP protocol, determine your value for the CRLDistDirPath parameter.
The CRLDistDirPath parameter specifies the full path of the var directory where PKI Services saves each DP CRL. The default value is /var/pkiserv/. The value can be specified with or without the trailing slash. See Determining CRLDistDirPath.
_______________________________________________________________
- If necessary, update the value of CRLDistDirPath in the CertPolicy section of pkiserv.conf to your customized value.
_______________________________________________________________
- Optionally, determine your value for the ARLDist parameter. Specifying this parameter creates a distribution
point ARL so you can check revocation status for CA certificates without
accessing the global ARL. See Creating a distribution point ARL.
_______________________________________________________________
- If necessary, update the value of ARLDist in
the CertPolicy section of pkiserv.conf to
your customized value.
_______________________________________________________________
- If you made any updates to pkiserv.conf, stop and restart PKI Services to make
your changes effective.
_______________________________________________________________