Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
B.4. CRL Extensions
B.4.1. About CRL Extensions
Note
B.4.1.1. Structure of CRL Extensions
- The object identifier (OID) for the extension. This identifier uniquely identifies the extension. It also determines the ASN.1 type of value in the value field and how the value is interpreted. When an extension appears in a CRL, the OID appears as the extension ID field (
extnID
) and the corresponding ASN.1 encoded structure appears as the value of the octet string (extnValue
); examples are shown in Example B.4, “Sample Pretty-Print Certificate Extensions”. - A flag or Boolean field called
critical
.Thetrue
orfalse
value assigned to this field indicates whether the extension is critical or noncritical to the CRL.- If the extension is critical and the CRL is sent to an application that does not understand the extension based on the extension's ID, the application must reject the CRL.
- If the extension is not critical and the CRL is sent to an application that does not understand the extension based on the extension's ID, the application can ignore the extension and accept the CRL.
- An octet string containing the DER encoding of the value of the extension.
B.4.1.2. Sample CRL and CRL Entry Extensions
Certificate Revocation List: Data: Version: v2 Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Issuer: CN=Certificate Authority,O=Example Domain This Update: Wednesday, July 29, 2009 8:59:48 AM GMT-08:00 Next Update: Friday, July 31, 2009 8:59:48 AM GMT-08:00 Revoked Certificates: 1-3 of 3 Serial Number: 0x11 Revocation Date: Thursday, July 23, 2009 10:07:15 AM GMT-08:00 Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Privilege_Withdrawn Serial Number: 0x1A Revocation Date: Wednesday, July 29, 2009 8:50:11 AM GMT-08:00 Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Certificate_Hold Identifier: Invalidity Date - 2.5.29.24 Critical: no Invalidity Date: Sun Jul 26 23:00:00 GMT-08:00 2009 Serial Number: 0x19 Revocation Date: Wednesday, July 29, 2009 8:50:49 AM GMT-08:00 Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Key_Compromise Identifier: Invalidity Date - 2.5.29.24 Critical: no Invalidity Date: Fri Jul 24 23:00:00 GMT-08:00 2009 Extensions: Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://example.com:9180/ca/ocsp Identifier: Issuer Alternative Name - 2.5.29.18 Critical: no Issuer Names: DNSName: example.com Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 50:52:0C:AA:22:AC:8A:71:E3:91:0C:C5:77:21:46:9C: 0F:F8:30:60 Identifier: Freshest CRL - 2.5.29.46 Critical: no Number of Points: 1 Point 0 Distribution Point: [URIName: http://server.example.com:8443/ca/ee/ca/getCRL?op=getDeltaCRL&crlIssuingPoint=MasterCRL] Identifier: CRL Number - 2.5.29.20 Critical: no Number: 39 Identifier: Issuing Distribution Point - 2.5.29.28 Critical: yes Distribution Point: Full Name: URIName: http://example.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL Only Contains User Certificates: no Only Contains CA Certificates: no Indirect CRL: no Signature: Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Signature: 47:D2:CD:C9:E5:F5:9D:56:0A:97:31:F5:D5:F2:51:EB: 1F:CF:FA:9E:63:D4:80:13:85:E5:D8:27:F0:69:67:B5: 89:4F:59:5E:69:E4:39:93:61:F2:E3:83:51:0B:68:26: CD:99:C4:A2:6C:2B:06:43:35:36:38:07:34:E4:93:80: 99:2F:79:FB:76:E8:3D:4C:15:5A:79:4E:E5:3F:7E:FC: D8:78:0D:1D:59:A0:4C:14:42:B7:22:92:89:38:3A:4C: 4A:3A:06:DE:13:74:0E:E9:63:74:D0:2F:46:A1:03:37: 92:F0:93:D9:AA:F8:13:C5:06:25:02:B0:FD:3B:41:E7: 62:6F:67:A3:9F:F5:FA:03:41:DA:8D:FD:EA:2F:E3:2B: 3E:F8:E9:CC:3B:9F:E4:ED:73:F2:9E:B9:54:14:C1:34: 68:A7:33:8F:AF:38:85:82:40:A2:06:97:3C:B4:88:43: 7B:AF:5D:87:C4:47:63:4A:11:65:E3:75:55:4D:98:97: C2:2E:62:08:A4:04:35:5A:FE:0A:5A:6E:F1:DE:8E:15: 27:1E:0F:87:33:14:16:2E:57:F7:DC:77:BE:D2:75:AB: A9:7C:42:1F:84:6D:40:EC:E7:ED:84:F8:14:16:28:33: FD:11:CD:C5:FC:49:B7:7B:39:57:B3:E6:36:E5:CD:B6
ertificate Revocation List:
Data:
Version: v2
Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Issuer: CN=Certificate Authority,O=SjcRedhat Domain
This Update: Wednesday, July 29, 2009 9:02:28 AM GMT-08:00
Next Update: Thursday, July 30, 2009 9:02:28 AM GMT-08:00
Revoked Certificates:
Serial Number: 0x1A
Revocation Date: Wednesday, July 29, 2009 9:00:48 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Remove_from_CRL
Serial Number: 0x17
Revocation Date: Wednesday, July 29, 2009 9:02:16 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Certificate_Hold
Identifier: Invalidity Date - 2.5.29.24
Critical: no
Invalidity Date: Mon Jul 27 23:00:00 GMT-08:00 2009
Extensions:
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://server.example.com:8443/ca/ocsp
Identifier: Delta CRL Indicator - 2.5.29.27
Critical: yes
Base CRL Number: 39
Identifier: Issuer Alternative Name - 2.5.29.18
Critical: no
Issuer Names:
DNSName: a-f8.sjc.redhat.com
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
50:52:0C:AA:22:AC:8A:71:E3:91:0C:C5:77:21:46:9C:
0F:F8:30:60
Identifier: CRL Number - 2.5.29.20
Critical: no
Number: 41
Identifier: Issuing Distribution Point - 2.5.29.28
Critical: yes
Distribution Point:
Full Name:
URIName: http://server.example.com:8443/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
Only Contains User Certificates: no
Only Contains CA Certificates: no
Indirect CRL: no
Signature:
Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Signature:
68:28:DA:90:D5:39:CB:6D:BE:42:04:77:C9:E4:09:60:
C1:97:A6:99:AB:A0:5B:A2:F3:8B:5E:4E:D6:05:70:B0:
87:1F:D7:0E:4B:C6:B2:DE:8B:92:D8:7C:3B:36:1C:79:
96:2A:64:E6:7A:25:1D:E7:40:62:48:7A:24:C9:9D:11:
A6:7F:BB:6B:03:A0:9C:1D:BC:1C:EE:9A:4B:A6:48:2C:
3B:5E:2B:B1:70:3C:C3:42:96:28:26:AB:82:18:F2:E9:
F2:55:48:A8:7E:7F:FE:D4:3D:0B:EA:A2:2F:4E:E6:C3:
C3:C1:6A:E5:C6:85:5B:42:B1:70:2A:C6:E1:D9:0C:AF:
DA:01:22:FF:80:6E:2E:A7:E5:34:DC:AF:E6:C2:B5:B3:
1B:FC:28:36:8A:91:4A:22:E7:03:A5:ED:4E:62:0C:D9:
7F:81:BB:80:99:B8:61:2A:02:C6:9C:41:2E:01:82:21:
80:82:69:52:BD:B2:AA:DB:0F:80:0A:7E:2A:F3:15:32:
69:D2:40:0D:39:59:93:75:A2:ED:24:70:FB:EE:19:C0:
BE:A2:14:36:D0:AC:E8:E2:EE:23:83:DD:BC:DF:38:1A:
9E:37:AF:E3:50:D9:47:9D:22:7C:36:35:BF:13:2C:16:
A2:79:CF:05:41:88:8E:B6:A2:4E:B3:48:6D:69:C6:38
B.4.2. Standard X.509 v3 CRL Extensions Reference
B.4.2.1. Extensions for CRLs
B.4.2.1.1. authorityInfoAccess
1.3.6.1.5.5.7.1.1
PKIX requires that this extension must not be critical.
Parameter | Description |
---|---|
enable | Specifies whether the rule is enabled or disabled. The default is to have this extension disabled. |
critical | Sets whether the extension is marked as critical; the default is noncritical. |
numberOfAccessDescriptions |
Indicates the number of access descriptions, from 0 to any positive integer; the default is 0.
When setting this parameter to an integer other than 0, set the number, and then click OK to close the window. Re-open the edit window for the rule, and the fields to set the points will be present.
|
accessMethodn | The only accepted value for this parameter is caIssuers. The caIssuers method is used when the information available lists certificates that can be used to verify the signature on the CRL. No other method should be used when the AIA extension is included in a CRL. |
accessLocationTypen | Specifies the type of access location for the n access description. The options are either DirectoryName or URI . |
accessLocationn |
If
accessLocationType is set to DirectoryName , the value must be a string in the form of an X.500 name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US.
If
accessLocationType is set to URI , the name must be a URI; the URI must be an absolute pathname and must specify the host. For example, http://testCA.example.com/get/crls/here/.
|
B.4.2.1.2. authorityKeyIdentifier
2.5.29.35
Parameter | Description |
---|---|
enable | Specifies whether the rule is enabled or disabled. The default is to have this extension disabled. |
critical | Sets whether the extension is marked as critical; the default is noncritical. |
B.4.2.1.3. CRLNumber
2.5.29.20
This extension must not be critical.
Parameter | Description |
---|---|
enable | Specifies whether the rule is enabled, which is the default. |
critical | Sets whether the extension is marked as critical; the default is noncritical. |
B.4.2.1.4. deltaCRLIndicator
2.5.29.27
PKIX requires that this extension be critical if it exists.
Parameter | Description |
---|---|
enable | Sets whether the rule is enabled. By default, it is disabled. |
critical | Sets whether the extension is critical or noncritical. By default, this is critical. |
B.4.2.1.5. FreshestCRL
2.5.29.46
PKIX requires that this extension must be noncritical.
Parameter | Description |
---|---|
enable | Sets whether the extension rule is enabled. By default, this is disabled. |
critical | Marks the extension as critical or noncritical. The default is noncritical. |
numPoints | Indicates the number of issuing points for the delta CRL, from 0 to any positive integer; the default is 0 . When setting this to an integer other than 0, set the number, and then click to close the window. Re-open the edit window for the rule, and the fields to set these points will be present. |
pointTypen | Specifies the type of issuing point for the n issuing point. For each number specified in numPoints , there is an equal number of pointType parameters. The options are either DirectoryName or URIName . |
pointNamen |
If
pointType is set to directoryName , the value must be a string in the form of an X.500 name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US.
If
pointType is set to URIName , the name must be a URI; the URI must be an absolute pathname and must specify the host. For example, http://testCA.example.com/get/crls/here/.
|
B.4.2.1.6. issuerAltName
2.5.29.18
Parameter | Description |
---|---|
enable | Sets whether the extension rule is enabled; by default, this is disabled. |
critical | Sets whether the extension is critical; by default, this is noncritical. |
numNames | Sets the total number of alternative names or identities permitted in the extension. Each name has a set of configuration parameters, nameType and name , which must have appropriate values or the rule returns an error. Change the total number of identities by changing the value specified in this field; there is no limit on the total number of identities that can be included in the extension. Each set of configuration parameters is distinguished by an integer derived from the value of this field. For example, if the numNames parameter is set to 2 , the derived integers are 0 and 1 . |
nameTypen |
Specifies the general-name type; this can be any of the following:
|
namen |
Specifies the general-name value; the allowed values depend on the name type specified in the
nameType field.
|
B.4.2.1.7. issuingDistributionPoint
2.5.29.28
PKIX requires that this extension be critical if it exists.
Parameter | Description |
---|---|
enable | Sets whether the extension is enabled; the default is disabled. |
critical | Marks the extension as critical, the default, or noncritical. |
pointType |
Specifies the type of the issuing distribution point from the following:
|
pointName |
Gives the name of the issuing distribution point. The name of the distribution point depends on the value specified for the
pointType parameter.
Note
The CRL may be stored in the directory entry corresponding to the CRL issuing point, which may be different than the directory entry of the CA.
|
onlySomeReasons |
Specifies the reason codes associated with the distribution point.
Permissible values are a combination of reason codes (
unspecified , keyCompromise , cACompromise , affiliationChanged , superseded , cessationOfOperation , certificateHold , and removeFromCRL ) separated by commas. Leave the field blank if the distribution point contains revoked certificates with all reason codes (default).
|
onlyContainsCACerts | Specifies that the distribution point contains user certificates only if set. By default, this is not set, which means the distribution point contains all types of certificates. |
indirectCRL | Specifies that the distribution point contains an indirect CRL; by default, this is not selected. |
B.4.2.2. CRL Entry Extensions
B.4.2.2.1. certificateIssuer
2.5.29.29
B.4.2.2.2. invalidityDate
2.5.29.24
Parameter | Description |
---|---|
enable | Sets whether the extension rule is enabled or disabled. By default, this is enabled. |
critical | Marks the extension as critical or noncritical; by default, this is noncritical. |
B.4.2.2.3. CRLReason
2.5.29.21
Parameter | Description |
---|---|
enable | Sets whether the extension rule is enabled or disabled. By default, this is enabled. |
critical | Marks the extension as critical or noncritical. By default, this is noncritical. |
B.4.3. Netscape-Defined Certificate Extensions Reference
B.4.3.1. netscape-cert-type
- bit 0: SSL Client certificate
- bit 1: SSL Server certificate
- bit 2: S/MIME certificate
- bit 3: Object Signing certificate
- bit 4: reserved
- bit 5: SSL CA certificate
- bit 6: S/MIME CA certificate
- bit 7: Object Signing CA certificate
2.16.840.1.113730.1.1
B.4.3.2. netscape-comment
2.16.840.1.113730.13