cRLDistributionPoints ::= {
CRLDistPointsSyntax }
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL }
DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
ReasonFlags ::= BIT STRING {
unused (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6) }
The intention is that one or more CRL Distribution Points be included
as an extension in each certificate. One reason for having more than
one DP associated with a cert is that the different DPs may have different
reasons. For example, one DP might contain certs that have been revoked
because of key compromise, and it would be consulted with higher priority
and frequency than a DP whose certs were revoked for more mundane reasons.
CRLDistributionPoint.java contains a class that models
a CRL Distribution Point as defined by PKIX.
CRLDistributionPointsExtension.java is the extension plugin.
It extends the Extension class and implements the
CertAttrSet interface, which allows it to be plugged in to the
server's extension map.
CRLDistributionPointPolicy is the policy plugin. It
implements IEnrollmentPolicy, which allows it be installed as a policy
module within the server.
CLASSPATH must point to that of an
existing CMS installation. Then, javac can be run on each
source file to produce the following class files:
<server-root>/<instance-name>/classes:
CRLDistributionPointPolicy.
CMS.cfg.
| Name | Value | Default |
|---|---|---|
| enable | true to enable the plugin, false to disable it
| true |
| critical | true if the extension should be critical, false
otherwise. |
false, since RFC 2459 specifies it SHOULD NOT be critical |
| numPoints | The number of distribution points to be contained in the extension. There must be configuration parameters given for each. | None. |
| Name | Value |
|---|---|
| pointName, pointType | The name of the distribution point. This can be in one of the following
formats:
|
| reasons | The reasons for this CRL. Should be a comma-separated list of the
following constants:
|
| issuerName, issuerType | The name of the CRL issuer. May be:
|
These simple parameters describe a single distribution point with no
reason flags or issuer name.
ca.Policy.rule.CRLDistributionPoints.numPoints=1 ca.Policy.rule.CRLDistributionPoints.pointName0=http://crlfest.com/get/your/crls/here/ ca.Policy.rule.CRLDistributionPoints.pointType0=URI |
These parameters describe two distribution points. The first has a
directory (distinguished) name. The second distribution point name
is relative to the location of the CRL issuer,
which is also given as a directory name. The points are differentiated by
their reasons.
ca.Policy.rule.CRLDistributionPoints.numPoints=2 ca.Policy.rule.CRLDistributionPoints.pointName0=CN=CRLCentral,OU=Research Dept.,O=CertCorp,C=US ca.Policy.rule.CRLDistributionPoints.pointType0=DirectoryName ca.Policy.rule.CRLDistributionPoints.reasons0=keyCompromise,cACompromise ca.Policy.rule.CRLDistributionPoints.pointName1=CN=SubCN ca.Policy.rule.CRLDistributionPoints.pointType1=RelativeToIssuer ca.Policy.rule.CRLDistributionPoints.reasons1=superseded,cessationOfOperation ca.Policy.rule.CRLDistributionPoints.issuerName1=OU=Research Dept.,O=CertCorp,C=US ca.Policy.rule.CRLDistributionPoints.issuerType1=DirectoryName |