A.5. Standard X.509 v3 CRL Extensions

In addition to certificate extensions, the X.509 proposed standard defines extensions to CRLs, which provide methods for associating additional attributes with Internet CRLs. These are one of two kinds: extensions to the CRL itself and extensions to individual certificate entries in the CRL.

A.5.1. Extensions for CRLs

The following CRL descriptions are defined as part of the Internet X.509 v3 Public Key Infrastructure proposed standard.

A.5.1.1. authorityKeyIdentifier

A.5.1.1.1. OID

2.5.29.35

A.5.1.1.2. Discussion

The Authority Key Identifier extension for a CRL identifies the public key corresponding to the private key used to sign the CRL. For details, see the discussion under certificate extensions at Section A.3.2, “authorityKeyIdentifier”.

The PKIX standard recommends that the CA must include this extension in all CRLs it issues because a CA's public key can change, for example, when the key gets updated, or the CA may have multiple signing keys because of multiple concurrent key pairs or key changeover. In these cases, the CA ends up with more than one key pair. When verifying a signature on a certificate, other applications need to know which key was used in the signature.

A.5.1.1.3. Parameters

Parameter	Description
`enable`	Specifies whether the rule is enabled or disabled. The default is to have this extension disabled.
`critical`	Sets whether the extension is marked as critical; the default is noncritical.

Table A.4. AuthorityKeyIdentifierExt Configuration Parameters

A.5.1.2. CRLNumber

A.5.1.2.1. OID

2.5.29.20

A.5.1.2.2. Criticality

This extension must not be critical.

A.5.1.2.3. Discussion

The CRLNumber extension specifies a sequential number for each CRL issued by a CA. It allows users to easily determine when a particular CRL supersedes another CRL. PKIX requires that all CRLs have this extension.

A.5.1.2.4. Parameters

Parameter	Description
`enable`	Specifies whether the rule is enabled, which is the default.
`critical`	Sets whether the extension is marked as critical; the default is noncritical.

Table A.5. CRLNumber Configuration Parameters

A.5.1.3. deltaCRLIndicator

A.5.1.3.1. OID

2.5.29.27

A.5.1.3.2. Criticality

PKIX requires that this extension be critical if it exists.

A.5.1.3.3. Discussion

The deltaCRLIndicator extension generates a delta CRL, a list only of certificates that have been revoked since the last CRL; it also includes a reference to the base URL. This updates the local database while ignoring unchanged information already in the local database. This can significantly improve processing time for applications that store revocation information in a format other than the CRL structure.

A.5.1.3.4. Parameters

Parameter	Description
`enable`	Sets whether the rule is enabled. By default, it is disabled.
`critical`	Sets whether the extension is critical or noncritical. By default, this is critical.

Table A.6. DeltaCRL Configuration Parameters

A.5.1.4. FreshestCRL

A.5.1.4.1. OID

2.5.29.27

A.5.1.4.2. Criticality

PKIX requires that this extension must be noncritical.

A.5.1.4.3. Discussion

The freshestCRL extension identifies how delta CRL information is obtained. The freshestCRL extension is placed in the full CRL to indicate where to find the latest delta CRL.

A.5.1.4.4. Parameters

Parameter	Description
`enable`	Sets whether the extension rule is enabled. By default, this is disabled.
`critical`	Marks the extension as critical or noncritical. The default is noncritical.
numPoints	Indicates the number of issuing points for the delta CRL, from `0` to any positive integer; the default is `0`. When setting this to an integer other than 0, set the number, and then click OK to close the window. Re-open the edit window for the rule, and the fields to set these points will be present.
pointTypen	Specifies the type of issuing point for the n issuing point. For each number specified in `numPoints`, there is an equal number of `pointType` parameters. The options are either `DirectoryName` or `URI`.
pointNamen	If `pointType` is set to `directoryName`, the value must be a string in the form of an X.500 name, similar to the subject name in a certificate. For example, `CN=CACentral,OU=Research Dept,O=Example Corporation,C=US`. If `pointType` is set to `URI`, the name must be a URI; the URI must be an absolute pathname and must specify the host. For example, `http://testCA.example.com/get/crls/here/`.

Table A.7. FreshestCRL Configuration Parameters

A.5.1.5. issuerAltName

A.5.1.5.1. OID

2.5.29.18

A.5.1.5.2. Discussion

The Issuer Alternative Name extension allows additional identities to be associated with the issuer of the CRL, like binding attributes such as a mail address, a DNS name, an IP address, and a uniform resource indicator (URI), with the issuer of the CRL. For details, see the discussion under certificate extensions at Section A.3.7, “issuerAltName”.

A.5.1.5.3. Parameters

Parameter	Description
`enable`	Sets whether the extension rule is enabled; by default, this is disabled.
`critical`	Sets whether the extension is critical; by default, this is noncritical.
`numNames`	Sets the total number of alternative names or identities permitted in the extension. Each name has a set of configuration parameters, `nameType` and `name`, which must have appropriate values or the rule returns an error. Change the total number of identities by changing the value specified in this field; there is no limit on the total number of identities that can be included in the extension. Each set of configuration parameters is distinguished by an integer derived from the value of this field. For example, if the `numNames` parameter is set to `2`, the derived integers are `0` and `1`.
`nameType` n	Specifies the general-name type; this can be any of the following: `rfc822Name` if the name is an Internet mail address. `directoryName` if the name is an X.500 directory name. `dNSName` if the name is a DNS name. `ediPartyName` if the name is a EDI party name. `URL` if the name is a URI (default). `iPAddress` if the name is an IP address. `OID` if the name is an object identifier. `otherName` if the name is in any other name form; this supports `PrintableString`, `IA5String`, `UTF8String`, `BMPString`, `Any`, and `KerberosName`.
`name` n	Specifies the general-name value; the allowed values depend on the name type specified in the `nameType` field. For `rfc822Name`, the value must be a valid Internet mail address in the `local-part@domain` format. For `directoryName`, the value must be a string X.500 name, similar to the subject name in a certificate. For example, `CN=CACentral,OU=Research Dept,O=Example Corporation,C=US`. For `dNSName`, the value must be a valid domain name in the DNS format. For example, `testCA.example.com`. For `ediPartyName`, the name must be an IA5String. For example, `Example Corporation`. For `URL`, the value must be a non-relative URI. For example, `http://testCA.example.com`. For `iPAddress`, the value must be a valid IP address specified in dot-separated numeric component notation. It can be the IP address or the IP address including the netmask. For `OID`, the value must be a unique, valid OID specified in the dot-separated numeric component notation. For example, `1.2.3.4.55.6.5.99`. Although custom OIDs can be used to evaluate and test the server, in a production environment, comply with the ISO rules for defining OIDs and for registering subtrees of IDs. See Section A.2, “Note on Object Identifiers” for information on allocating private OIDs. For `otherName`, the names can be any other format; this supports `PrintableString`, `IA5String`, `UTF8String`, `BMPString`, `Any`, and `KerberosName`. `PrintableString`, `IA5String`, `UTF8String`, `BMPString`, and `Any` set a string to a base-64 encoded file specifying the subtree, such as `/var/lib/rhpki-ca/othername.txt`. `KerberosName` has the format Realm\|NameType\|NameStrings, such as `realm1\|0\|userID1,userID2`.the name must be the absolute path to the file that contains the general name in its base-64 encoded format. For example, `/var/lib/rhpki-ca/extn/ian/othername.txt`.

Table A.8. IssuerAlternativeName Configuration Parameters

A.5.1.6. issuingDistributionPoint

A.5.1.6.1. OID

2.5.29.28

A.5.1.6.2. Criticality

PKIX requires that this extension be critical if it exists.

A.5.1.6.3. Discussion

The Issuing Distribution Point CRL extension identifies the CRL distribution point for a particular CRL and indicates what kinds of revocation it covers, such as revocation of end-entity certificates only, CA certificates only, or revoked certificates that have a limited set of reason codes.

The rule can be modified to support any name form by making the appropriate changes to the sample code provided; for more information, see the CS SDK.

PKIX Part I does not require this extension.

A.5.1.6.4. Parameters

Parameter	Description
`enable`	Sets whether the extension is enabled; the default is disabled.
`critical`	Marks the extension as critical, the default, or noncritical.
`pointType`	Specifies the type of the issuing distribution point from the following: `directoryName` specifies that the type is an X.500 directory name. `URI` specifies that the type is a uniform resource indicator.
`pointName`	Gives the name of the issuing distribution point. The name of the distribution point depends on the value specified for the `pointType` parameter. For `directoryName`, the name must be an X.500 name. For example, `cn=CRLCentral,ou=Research Dept,o=Example Corporation,c=US` For `URI`, the name must be a URI that is an absolute pathname and specifies the host. For example, `http://testCA.example.com/get/crls/here/`. NOTE The CRL may be stored in the directory entry corresponding to the CRL issuing point, which may be different than the directory entry of the CA.
`onlySomeReasons`	Specifies the reason codes associated with the distribution point. Permissible values are a combination of reason codes (`unspecified`, `keyCompromise`, `cACompromise`, `affiliationChanged`, `superseded`, `cessationOfOperation`, `certificateHold`, and `removeFromCRL`) separated by commas. Leave the field blank if the distribution point contains revoked certificates with all reason codes (default).
`onlyContainsCACerts`	Specifies that the distribution point contains user certificates only if set. By default, this is not set, which means the distribution point contains all types of certificates.
`indirectCRL`	Specifies that the distribution point contains an indirect CRL; by default, this is not selected.

Table A.9. IssuingDistributionPoint Configuration Parameters

A.5.2. CRL Entry Extensions

The sections that follow lists the CRL entry extension types that are defined as part of the Internet X.509 v3 Public Key Infrastructure proposed standard. All of these extensions are noncritical.

A.5.2.1. certificateIssuer

A.5.2.1.1. OID

2.5.29.29

A.5.2.1.2. Discussion

The Certificate Issuer extension identifies the certificate issuer associated with an entry in an indirect CRL.

This extension is used only with indirect CRLs, which are not supported by the Certificate System.

A.5.2.2. holdInstructionCode

A.5.2.2.1. OID

2.5.29.23

A.5.2.2.2. Discussion

The Hold Instruction Code extension indicates the action to be taken after encountering a certificate that has been placed on hold.

A.5.2.2.3. Parameters

Parameter Description

enable Sets whether the rule is enabled; by default, this is disabled.

critical Marks the extension as critical; by default, this is marked noncritical.

Parameter	Description
`enable`	Sets whether the rule is enabled; by default, this is disabled.
`critical`	Marks the extension as critical; by default, this is marked noncritical.
`instruction`	Sets the action a validating application must take when it encounters a certificate that has been put on hold; these can be `none`, `callissuer`, or `reject`. `none` specifies that the validating application should not do anything; the PKIX standard says that this is semantically equivalent to disabling `holdInstructionCode`. `callissuer` specifies that the validating application must call the CA that has issued the certificate or reject the certificate. `reject` specifies that the validating application must reject the certificate on hold.

instruction

Sets the action a validating application must take when it encounters a certificate that has been put on hold; these can be none, callissuer, or reject.

none specifies that the validating application should not do anything; the PKIX standard says that this is semantically equivalent to disabling holdInstructionCode.

callissuer specifies that the validating application must call the CA that has issued the certificate or reject the certificate.

reject specifies that the validating application must reject the certificate on hold.

Table A.10. HoldInstruction Configuration Parameters

A.5.2.3. invalidityDate

A.5.2.3.1. OID

2.5.29.24

A.5.2.3.2. Discussion

The Invalidity Date extension provides the date on which the private key was compromised or that the certificate otherwise became invalid.

A.5.2.3.3. Parameters

Parameter	Description
`enable`	Sets whether the extension rule is enabled or disabled. By default, this is enabled.
`critical`	Marks the extension as critical or noncritical; by default, this is noncritical.

Table A.11. InvalidityDate Configuration Parameters

A.5.2.4. CRLReason

A.5.2.4.1. OID

2.5.29.21

A.5.2.4.2. Discussion

The Reason Code extension identifies the reason for certificate revocation.

A.5.2.4.3. Parameters

Parameter	Description
`enable`	Sets whether the extension rule is enabled or disabled. By default, this is enabled.
`critical`	Marks the extension as critical or noncritical. By default, this is noncritical.

Table A.12. CRLReason Configuration Parameters