B.4. CRL Extensions
B.4.1. About CRL Extensions
Since its initial publication, the X.509 standard for CRL formats has been amended to include additional information within a CRL. This information is added through CRL extensions.
The extensions defined by ANSI X9 and ISO/IEC/ITU for X.509 CRLs [X.509] [X9.55] allow additional attributes to be associated with CRLs. The Internet X.509 Public Key Infrastructure Certificate and CRL Profile, available at RFC 5280, recommends a set of extensions to be used in CRLs. These extensions are called standard CRL extensions.
The standard also allows custom extensions to be created and included in CRLs. These extensions are called private, proprietary, or custom CRL extensions and carry information unique to an organization or business. Applications may not able to validate CRLs that contain private critical extensions, so it is not recommended that custom extensions be used in a general context.
Note
Abstract Syntax Notation One (ASN.1) and Distinguished Encoding Rules (DER) standards are specified in the CCITT Recommendations X.208 and X.209. For a quick summary of ASN.1 and DER, see A Layman's Guide to a Subset of ASN.1, BER, and DER, which is available at RSA Laboratories' web site, http://www.rsa.com.
B.4.1.1. Structure of CRL Extensions
A CRL extension consists of the following parts:
- The object identifier (OID) for the extension. This identifier uniquely identifies the extension. It also determines the ASN.1 type of value in the value field and how the value is interpreted. When an extension appears in a CRL, the OID appears as the extension ID field (
extnID) and the corresponding ASN.1 encoded structure appears as the value of the octet string (extnValue); examples are shown in Example B.4, “Sample Pretty-Print Certificate Extensions”. - A flag or Boolean field called
critical.Thetrueorfalsevalue assigned to this field indicates whether the extension is critical or noncritical to the CRL.- If the extension is critical and the CRL is sent to an application that does not understand the extension based on the extension's ID, the application must reject the CRL.
- If the extension is not critical and the CRL is sent to an application that does not understand the extension based on the extension's ID, the application can ignore the extension and accept the CRL.
- An octet string containing the DER encoding of the value of the extension.
The application receiving the CRL checks the extension ID to determine if it can recognize the ID. If it can, it uses the extension ID to determine the type of value used.
B.4.1.2. Sample CRL and CRL Entry Extensions
The following is an example of an X.509 CRL version 2 extension. The Certificate System can display CRLs in readable pretty-print format, as shown here. As shown in the example, CRL extensions appear in sequence and only one instance of a particular extension may appear per CRL; for example, a CRL may contain only one Authority Key Identifier extension. However, CRL-entry extensions appear in appropriate entries in the CRL.
Certificate Revocation List:
Data:
Version: v2
Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Issuer: CN=Certificate Authority,O=Example Domain
This Update: Wednesday, July 29, 2009 8:59:48 AM GMT-08:00
Next Update: Friday, July 31, 2009 8:59:48 AM GMT-08:00
Revoked Certificates: 1-3 of 3
Serial Number: 0x11
Revocation Date: Thursday, July 23, 2009 10:07:15 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Privilege_Withdrawn
Serial Number: 0x1A
Revocation Date: Wednesday, July 29, 2009 8:50:11 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Certificate_Hold
Identifier: Invalidity Date - 2.5.29.24
Critical: no
Invalidity Date: Sun Jul 26 23:00:00 GMT-08:00 2009
Serial Number: 0x19
Revocation Date: Wednesday, July 29, 2009 8:50:49 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Key_Compromise
Identifier: Invalidity Date - 2.5.29.24
Critical: no
Invalidity Date: Fri Jul 24 23:00:00 GMT-08:00 2009
Extensions:
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://example.com:9180/ca/ocsp
Identifier: Issuer Alternative Name - 2.5.29.18
Critical: no
Issuer Names:
DNSName: example.com
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
50:52:0C:AA:22:AC:8A:71:E3:91:0C:C5:77:21:46:9C:
0F:F8:30:60
Identifier: Freshest CRL - 2.5.29.46
Critical: no
Number of Points: 1
Point 0
Distribution Point: [URIName: http://server.example.com:8443/ca/ee/ca/getCRL?op=getDeltaCRL&crlIssuingPoint=MasterCRL]
Identifier: CRL Number - 2.5.29.20
Critical: no
Number: 39
Identifier: Issuing Distribution Point - 2.5.29.28
Critical: yes
Distribution Point:
Full Name:
URIName: http://example.com:9180/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
Only Contains User Certificates: no
Only Contains CA Certificates: no
Indirect CRL: no
Signature:
Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Signature:
47:D2:CD:C9:E5:F5:9D:56:0A:97:31:F5:D5:F2:51:EB:
1F:CF:FA:9E:63:D4:80:13:85:E5:D8:27:F0:69:67:B5:
89:4F:59:5E:69:E4:39:93:61:F2:E3:83:51:0B:68:26:
CD:99:C4:A2:6C:2B:06:43:35:36:38:07:34:E4:93:80:
99:2F:79:FB:76:E8:3D:4C:15:5A:79:4E:E5:3F:7E:FC:
D8:78:0D:1D:59:A0:4C:14:42:B7:22:92:89:38:3A:4C:
4A:3A:06:DE:13:74:0E:E9:63:74:D0:2F:46:A1:03:37:
92:F0:93:D9:AA:F8:13:C5:06:25:02:B0:FD:3B:41:E7:
62:6F:67:A3:9F:F5:FA:03:41:DA:8D:FD:EA:2F:E3:2B:
3E:F8:E9:CC:3B:9F:E4:ED:73:F2:9E:B9:54:14:C1:34:
68:A7:33:8F:AF:38:85:82:40:A2:06:97:3C:B4:88:43:
7B:AF:5D:87:C4:47:63:4A:11:65:E3:75:55:4D:98:97:
C2:2E:62:08:A4:04:35:5A:FE:0A:5A:6E:F1:DE:8E:15:
27:1E:0F:87:33:14:16:2E:57:F7:DC:77:BE:D2:75:AB:
A9:7C:42:1F:84:6D:40:EC:E7:ED:84:F8:14:16:28:33:
FD:11:CD:C5:FC:49:B7:7B:39:57:B3:E6:36:E5:CD:B6
A delta CRL is a subset of the CRL which contains only the changes since the last CRL was published. Any CRL which contains the delta CRL indicator extension is a delta CRL.
ertificate Revocation List:
Data:
Version: v2
Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Issuer: CN=Certificate Authority,O=SjcRedhat Domain
This Update: Wednesday, July 29, 2009 9:02:28 AM GMT-08:00
Next Update: Thursday, July 30, 2009 9:02:28 AM GMT-08:00
Revoked Certificates:
Serial Number: 0x1A
Revocation Date: Wednesday, July 29, 2009 9:00:48 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Remove_from_CRL
Serial Number: 0x17
Revocation Date: Wednesday, July 29, 2009 9:02:16 AM GMT-08:00
Extensions:
Identifier: Revocation Reason - 2.5.29.21
Critical: no
Reason: Certificate_Hold
Identifier: Invalidity Date - 2.5.29.24
Critical: no
Invalidity Date: Mon Jul 27 23:00:00 GMT-08:00 2009
Extensions:
Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1
Critical: no
Access Description:
Method #0: ocsp
Location #0: URIName: http://server.example.com:8443/ca/ocsp
Identifier: Delta CRL Indicator - 2.5.29.27
Critical: yes
Base CRL Number: 39
Identifier: Issuer Alternative Name - 2.5.29.18
Critical: no
Issuer Names:
DNSName: a-f8.sjc.redhat.com
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
50:52:0C:AA:22:AC:8A:71:E3:91:0C:C5:77:21:46:9C:
0F:F8:30:60
Identifier: CRL Number - 2.5.29.20
Critical: no
Number: 41
Identifier: Issuing Distribution Point - 2.5.29.28
Critical: yes
Distribution Point:
Full Name:
URIName: http://server.example.com:8443/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
Only Contains User Certificates: no
Only Contains CA Certificates: no
Indirect CRL: no
Signature:
Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Signature:
68:28:DA:90:D5:39:CB:6D:BE:42:04:77:C9:E4:09:60:
C1:97:A6:99:AB:A0:5B:A2:F3:8B:5E:4E:D6:05:70:B0:
87:1F:D7:0E:4B:C6:B2:DE:8B:92:D8:7C:3B:36:1C:79:
96:2A:64:E6:7A:25:1D:E7:40:62:48:7A:24:C9:9D:11:
A6:7F:BB:6B:03:A0:9C:1D:BC:1C:EE:9A:4B:A6:48:2C:
3B:5E:2B:B1:70:3C:C3:42:96:28:26:AB:82:18:F2:E9:
F2:55:48:A8:7E:7F:FE:D4:3D:0B:EA:A2:2F:4E:E6:C3:
C3:C1:6A:E5:C6:85:5B:42:B1:70:2A:C6:E1:D9:0C:AF:
DA:01:22:FF:80:6E:2E:A7:E5:34:DC:AF:E6:C2:B5:B3:
1B:FC:28:36:8A:91:4A:22:E7:03:A5:ED:4E:62:0C:D9:
7F:81:BB:80:99:B8:61:2A:02:C6:9C:41:2E:01:82:21:
80:82:69:52:BD:B2:AA:DB:0F:80:0A:7E:2A:F3:15:32:
69:D2:40:0D:39:59:93:75:A2:ED:24:70:FB:EE:19:C0:
BE:A2:14:36:D0:AC:E8:E2:EE:23:83:DD:BC:DF:38:1A:
9E:37:AF:E3:50:D9:47:9D:22:7C:36:35:BF:13:2C:16:
A2:79:CF:05:41:88:8E:B6:A2:4E:B3:48:6D:69:C6:38B.4.2. Standard X.509 v3 CRL Extensions Reference
In addition to certificate extensions, the X.509 proposed standard defines extensions to CRLs, which provide methods for associating additional attributes with Internet CRLs. These are one of two kinds: extensions to the CRL itself and extensions to individual certificate entries in the CRL.
B.4.2.1. Extensions for CRLs
The following CRL descriptions are defined as part of the Internet X.509 v3 Public Key Infrastructure proposed standard.
B.4.2.1.1. authorityInfoAccess
The Authority Information Access extension identifies how delta CRL information is obtained. The freshestCRL extension is placed in the full CRL to indicate where to find the latest delta CRL.
OID
1.3.6.1.5.5.7.1.1
Criticality
PKIX requires that this extension must not be critical.
Parameters
| Parameter | Description |
|---|---|
| enable | Specifies whether the rule is enabled or disabled. The default is to have this extension disabled. |
| critical | Sets whether the extension is marked as critical; the default is noncritical. |
| numberOfAccessDescriptions |
Indicates the number of access descriptions, from 0 to any positive integer; the default is 0.
When setting this parameter to an integer other than 0, set the number, and then click OK to close the window. Re-open the edit window for the rule, and the fields to set the points will be present.
|
| accessMethodn | The only accepted value for this parameter is caIssuers. The caIssuers method is used when the information available lists certificates that can be used to verify the signature on the CRL. No other method should be used when the AIA extension is included in a CRL. |
| accessLocationTypen | Specifies the type of access location for the n access description. The options are either DirectoryName or URI. |
| accessLocationn |
If
accessLocationType is set to DirectoryName, the value must be a string in the form of an X.500 name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US.
If
accessLocationType is set to URI, the name must be a URI; the URI must be an absolute pathname and must specify the host. For example, http://testCA.example.com/get/crls/here/.
|
B.4.2.1.2. authorityKeyIdentifier
The Authority Key Identifier extension for a CRL identifies the public key corresponding to the private key used to sign the CRL. For details, see the discussion under certificate extensions at Section B.3.2, “authorityKeyIdentifier”.
The PKIX standard recommends that the CA must include this extension in all CRLs it issues because a CA's public key can change, for example, when the key gets updated, or the CA may have multiple signing keys because of multiple concurrent key pairs or key changeover. In these cases, the CA ends up with more than one key pair. When verifying a signature on a certificate, other applications need to know which key was used in the signature.
OID
2.5.29.35
Parameters
| Parameter | Description |
|---|---|
| enable | Specifies whether the rule is enabled or disabled. The default is to have this extension disabled. |
| critical | Sets whether the extension is marked as critical; the default is noncritical. |
B.4.2.1.3. CRLNumber
The CRLNumber extension specifies a sequential number for each CRL issued by a CA. It allows users to easily determine when a particular CRL supersedes another CRL. PKIX requires that all CRLs have this extension.
OID
2.5.29.20
Criticality
This extension must not be critical.
Parameters
| Parameter | Description |
|---|---|
| enable | Specifies whether the rule is enabled, which is the default. |
| critical | Sets whether the extension is marked as critical; the default is noncritical. |
B.4.2.1.4. deltaCRLIndicator
The deltaCRLIndicator extension generates a delta CRL, a list only of certificates that have been revoked since the last CRL; it also includes a reference to the base CRL. This updates the local database while ignoring unchanged information already in the local database. This can significantly improve processing time for applications that store revocation information in a format other than the CRL structure.
OID
2.5.29.27
Criticality
PKIX requires that this extension be critical if it exists.
Parameters
| Parameter | Description |
|---|---|
| enable | Sets whether the rule is enabled. By default, it is disabled. |
| critical | Sets whether the extension is critical or noncritical. By default, this is critical. |
B.4.2.1.5. FreshestCRL
The freshestCRL extension identifies how delta CRL information is obtained. The freshestCRL extension is placed in the full CRL to indicate where to find the latest delta CRL.
OID
2.5.29.46
Criticality
PKIX requires that this extension must be noncritical.
Parameters
| Parameter | Description |
|---|---|
| enable | Sets whether the extension rule is enabled. By default, this is disabled. |
| critical | Marks the extension as critical or noncritical. The default is noncritical. |
| numPoints | Indicates the number of issuing points for the delta CRL, from 0 to any positive integer; the default is 0. When setting this to an integer other than 0, set the number, and then click to close the window. Re-open the edit window for the rule, and the fields to set these points will be present. |
| pointTypen | Specifies the type of issuing point for the n issuing point. For each number specified in numPoints, there is an equal number of pointType parameters. The options are either DirectoryName or URIName. |
| pointNamen |
If
pointType is set to directoryName, the value must be a string in the form of an X.500 name, similar to the subject name in a certificate. For example, CN=CACentral,OU=Research Dept,O=Example Corporation,C=US.
If
pointType is set to URIName, the name must be a URI; the URI must be an absolute pathname and must specify the host. For example, http://testCA.example.com/get/crls/here/.
|
B.4.2.1.6. issuerAltName
The Issuer Alternative Name extension allows additional identities to be associated with the issuer of the CRL, like binding attributes such as a mail address, a DNS name, an IP address (both IPv4 and IPv6), and a uniform resource indicator (URI), with the issuer of the CRL. For details, see the discussion under certificate extensions at Section B.3.7, “issuerAltName Extension”.
OID
2.5.29.18
Parameters
| Parameter | Description |
|---|---|
| enable | Sets whether the extension rule is enabled; by default, this is disabled. |
| critical | Sets whether the extension is critical; by default, this is noncritical. |
| numNames | Sets the total number of alternative names or identities permitted in the extension. Each name has a set of configuration parameters, nameType and name, which must have appropriate values or the rule returns an error. Change the total number of identities by changing the value specified in this field; there is no limit on the total number of identities that can be included in the extension. Each set of configuration parameters is distinguished by an integer derived from the value of this field. For example, if the numNames parameter is set to 2, the derived integers are 0 and 1. |
| nameTypen |
Specifies the general-name type; this can be any of the following:
|
| namen |
Specifies the general-name value; the allowed values depend on the name type specified in the
nameType field.
|
B.4.2.1.7. issuingDistributionPoint
The Issuing Distribution Point CRL extension identifies the CRL distribution point for a particular CRL and indicates what kinds of revocation it covers, such as revocation of end-entity certificates only, CA certificates only, or revoked certificates that have a limited set of reason codes.
PKIX Part I does not require this extension.
OID
2.5.29.28
Criticality
PKIX requires that this extension be critical if it exists.
Parameters
| Parameter | Description |
|---|---|
| enable | Sets whether the extension is enabled; the default is disabled. |
| critical | Marks the extension as critical, the default, or noncritical. |
| pointType |
Specifies the type of the issuing distribution point from the following:
|
| pointName |
Gives the name of the issuing distribution point. The name of the distribution point depends on the value specified for the
pointType parameter.
Note
The CRL may be stored in the directory entry corresponding to the CRL issuing point, which may be different than the directory entry of the CA.
|
| onlySomeReasons |
Specifies the reason codes associated with the distribution point.
Permissible values are a combination of reason codes (
unspecified, keyCompromise, cACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, and removeFromCRL) separated by commas. Leave the field blank if the distribution point contains revoked certificates with all reason codes (default).
|
| onlyContainsCACerts | Specifies that the distribution point contains user certificates only if set. By default, this is not set, which means the distribution point contains all types of certificates. |
| indirectCRL | Specifies that the distribution point contains an indirect CRL; by default, this is not selected. |
B.4.2.2. CRL Entry Extensions
The sections that follow lists the CRL entry extension types that are defined as part of the Internet X.509 v3 Public Key Infrastructure proposed standard. All of these extensions are noncritical.
B.4.2.2.1. certificateIssuer
The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL.
This extension is used only with indirect CRLs, which are not supported by the Certificate System.
OID
2.5.29.29
B.4.2.2.2. invalidityDate
The Invalidity Date extension provides the date on which the private key was compromised or that the certificate otherwise became invalid.
OID
2.5.29.24
Parameters
| Parameter | Description |
|---|---|
| enable | Sets whether the extension rule is enabled or disabled. By default, this is enabled. |
| critical | Marks the extension as critical or noncritical; by default, this is noncritical. |
B.4.2.2.3. CRLReason
The Reason Code extension identifies the reason for certificate revocation.
OID
2.5.29.21
Parameters
| Parameter | Description |
|---|---|
| enable | Sets whether the extension rule is enabled or disabled. By default, this is enabled. |
| critical | Marks the extension as critical or noncritical. By default, this is noncritical. |
B.4.3. Netscape-Defined Certificate Extensions Reference
Netscape defined certain certificate extensions for its products. Some of the extensions are now obsolete, and others have been superseded by the extensions defined in the X.509 proposed standard. All Netscape extensions should be tagged as noncritical, so that their presence in a certificate does not make that certificate incompatible with other clients.
B.4.3.1. netscape-cert-type
The Netscape Certificate Type extension can be used to limit the purposes for which a certificate can be used. It has been replaced by the X.509 v3 extensions Section B.3.6, “extKeyUsage” and Section B.3.3, “basicConstraints”.
If the extension exists in a certificate, it limits the certificate to the uses specified in it. If the extension is not present, the certificate can be used for all applications, except for object signing.
The value is a bit-string, where the individual bit positions, when set, certify the certificate for particular uses as follows:
- bit 0: SSL Client certificate
- bit 1: SSL Server certificate
- bit 2: S/MIME certificate
- bit 3: Object Signing certificate
- bit 4: reserved
- bit 5: SSL CA certificate
- bit 6: S/MIME CA certificate
- bit 7: Object Signing CA certificate
OID
2.16.840.1.113730.1.1
B.4.3.2. netscape-comment
The value of this extension is an IA5String. It is a comment that can be displayed to the user when the certificate is viewed.
OID
2.16.840.1.113730.13
