000021511 - What is the caching behavior for CRLs in RSA Keon Certificate Verification Server?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021511
Applies ToRSA Keon Certificate Verification Server 1.0
Sun Solaris 2.8
IssueWhat is the caching behavior for CRLs in RSA Keon Certificate Verification Server?
CauseCRL caching behavior
ResolutionRSA Keon Certificate Verification Server caches RLs per DN value specified in an IDP extension. Consider the following scenario:

- A CA for department X issues end-entity certificates for employees of department Y and employees from department Z

- An end-entity certificate for an employee of department Y has a CRL Distribution point for department Y

- An end-entity certificate for an employee of department Z has a CRL Distribution point for department Z

- A CRL for validating end-entity certificates for employee of department Y has Issuing Distribution Point for department Y

- A CRL for validating end-entity certificates for employee of department Z has Issuing Distribution Point for department Z

Does Certificate Verification Server cache a CRL for department Y and for department Z? The answer to this would be "yes". Certificate Verification Server actually fetches and caches the CRL based on the CRL Distribution Points extension in the certificate whose status it is checking (and then confirms that that the IDP value in the CRL matches that DN). Note that this won't work when serving plain OCSP, since there is no certificate, and hence no CRL-DP.
Legacy Article IDa23323

Attachments

    Outcomes