CRL Extension Reference
606
Netscape Certificate Management System Administrator’s Guide • June 2003
CRL Extension Reference
To enable you to issue or publish X.509 v2 CRLs (that is, CRLs with extensions),
CMS provides a set of extension rules; each rule enables you to configure the
Certificate Manager to set a particular CRL or CRL-entry extension in CRLs it
issues.
When deciding whether to add CRL extensions, keep in mind that not all
applications support version 2 CRLs. Among the applications that do support
extensions, not all applications will recognize every extension. For general
guidelines on using these extensions in CRLs, see Appendix G, “Certificate and
CRL Extensions.”
AuthorityKeyIdentifier
The
AuthorityKeyIdentifier
rule enables you to configure a Certificate Manager
to set the Authority Key Identifier Extension in CRLs. The extension is used to
identify the public key that corresponds to the private key used by a CA to sign
CRLs.
The PKIX standard recommends that the CA must include this extension in all
CRLs it issues. The reason for this is that in certain situations, a CA’s public key
may change (for example, when the key gets updated) or the CA may have
multiple signing keys (either because of multiple concurrent key pairs or because
of key changeover). In these cases, the CA ends up with more than one key pair.
When verifying a signature on a certificate, other applications need to know which
key was used in the signature.
For general information about the authority key identifier extension in CRLs, see
“authorityKeyIdentifier” on page 771.
Table 14-1
AuthorityKeyIdentifierExt Configuration Parameters
Parameter
Description
enable
Specifies whether the rule is enabled or disabled. Select to enable,
deselect to disable (default).
critical
Select if you want the server to mark the extension critical; deselect
if you want the server to mark the extension noncritical (default).
Summary of Contents for Certificate Management System 6.2
Page 1: ...Administrator s Guide Netscape Certificate Management System Version6 2 June 2003...
Page 22: ...22 Netscape Certificate Management System Administrator s Guide June 2003...
Page 30: ...Documentation 30 Netscape Certificate Management System Administrator s Guide June 2003...
Page 84: ...Uninstalling CMS 84 Netscape Certificate Management System Administrator s Guide June 2003...
Page 380: ...ACL Reference 380 Netscape Certificate Management System Administrator s Guide June 2003...
Page 750: ...Object Identifiers 750 Netscape Certificate Management System Administrator s Guide June 2003...
Page 828: ...Managing Certificates 828 Netscape Certificate Manager System Administrator s Guide June 2003...
Page 844: ...The SSL Handshake 844 Netscape Certificate Manager System Administrator s Guide June 2003...
Page 862: ...862 Netscape Certificate Management System Administrator s Guide June 2003...