Configuring CRL with PKI Console - dogtagpki/pki GitHub Wiki
CRL updates are configurable through CA’s console:
This flag allows to enable or disable CRL generation for the specific CRL issuing point.
Here a sample of CRL updates where full CRL is generated every 3 deltas:
| CRL Updates | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|---|---|---|---|---|---|---|---|---|---|
Full CRL |
+ |
+ |
+ |
+ |
||||||
Delta CRL |
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+ |
+ |
If selected, nextUpdate in currently generated full CRL points to the next time in which full CRL will be generated, otherwise nextUpdate points to the immediately following CRL generation, which may create delta CRL only.
See definition of nextUpdate in RFC 5280:
CertificateList ::= SEQUENCE {
tbsCertList TBSCertList,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
TBSCertList ::= SEQUENCE {
version Version OPTIONAL,
-- if present, MUST be v2
signature AlgorithmIdentifier,
issuer Name,
thisUpdate Time,
nextUpdate Time OPTIONAL,
revokedCertificates SEQUENCE OF SEQUENCE {
userCertificate CertificateSerialNumber,
revocationDate Time,
crlEntryExtensions Extensions OPTIONAL
-- if present, version MUST be v2
} OPTIONAL,
crlExtensions [0] EXPLICIT Extensions OPTIONAL
-- if present, version MUST be v2
}
This option provide option to generate CRLs every N minutes. Note that manual CRL updates or CA restarts may cause schedule drifting.<br> The following sample configuration will generate every 4 hours (counting form the last update).
Combination of CRL generation every N minutes with daily starting time (provided through Update CRL at entry field]), prevents schedule drifting.
The following sample configuration will generate every 4 hours starting from 1:00 am (1:00am, 5:00am, 9:00am, 1:00pm, 5:00pm, 9:00pm).
This option was initially provided as a way to avoid schedule drifting associated with Update CRL every N minutes by starting updates from the same time each day. Time precision is in minutes, which implies the following time format: hh:mm.
Daily update list replaced starting time as improvement allowing for CRL updates to be performed at exactly the same times each day. Time list was built as a list of time separated by commas: t1, t2, t3, …, tn where ti < *tj for i < j.
Note:
-
Daily update list cannot be combined with Update CRL every N minutes.
-
First CRL update according to daily update list schedule combined with Generate full CRL every N deltas always includes full CRL generation.
Update list were extended to multiple days due to the request Bug #512496. Update list for multiple days is built by combining multiple daily list separated by semicolons: d1; d2; d3; …; dn.
Sample update lists:
-
0:10,0:15,23:57,23:58,23:59;0:01,0:02,0:03; - includes schedule for 3 days
-
day 1 includes CRL updates at 0:10, 0:15, 23:57, 23:58, and 23:59
-
day 2 includes CRL updates at 0:01, 0:02, and 0:03
-
day 3 includes no CRL updates
-
-
1:05,21:20; 3:07;;4:06,16:12,22:07; - includes schedule for 5 days
-
day 1 includes CRL updates at 1:05 and 21:20
-
day 2 includes CRL update at 3:07
-
day 3 includes no CRL updates
-
day 4 includes CRL updates at 4:06, 16:12, and 22:07
-
day 5 includes no CRL updates
-
Update list is enhanced to point when full CRL will be generated by adding optional * to the time format, where * will indicate time in the update list at which full CRL will be generated.
Note: Update list with specified full CRL generations will ignore Generate full CRL every N deltas.
Sample update lists:
-
0:10,*0:15,23:57,*23:58,*23:59;0:01,*0:02,0:03; - includes schedule for 3 days
-
day 1 includes CRL updates at 0:10, 0:15, 23:57, 23:58, and 23:59 but full CRLs are generated at 0:15, 23:58, and 23:59
-
day 2 includes CRL updates at 0:01, 0:02, and 0:03 but full CRL is generated at 0:02
-
day 3 includes no CRL updates
-