000020318 - How to add CRLDistributionPoint extension to certificates with a custom URI

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020318
Applies ToKeon Certificate Authority 6.0.2
IssueHow to add CRLDistributionPoint extension to certificates with a custom URI
ResolutionThe CRLDistributionPoint (CRLDP) extension is added automatically to all certificates issued by a CA if that CA is configured for local CRL publishing (KCA Admin Interface -> CA Operations workbench -> View the CA -> click Local CRL Publishing button -> follow the instructions to enable HTTP or LDAP server publishing). In this case, the CRLDP extension gets the value provided by KCA, which either points to a URI for KCA HTTP server or KCA LDAP server.

If it is required to automatically populate the CRLDP extension with a custom URI (HTTP based non-KCA URL), say:

        http://crl.xyz123.com/ca.crl

A solution is available given the following assumptions:

- Certificates are issued through KCA OneStep
- 'Local CRL Publishing' is not enabled
- An extension profile is being used with OneStep to issue certificates


Below are the steps to appropriately configure the extension profile in KCA to accomplish this:

1. Go to the KCA Admin Interface -> System Configuration workbench -> select Extension Profiles link -> select the extension profile being used with OneStep to issue certificates that need the custom CRLDP extension -> click the Edit button -> mark the CRLDP extension as Mandatory -> select the Edit button against CRL Distribution Points.

If the script for CRLDP extension has not been changed, it might look like the following (excluding the Start/End markers):

+++++++++++++++ Start of Script +++++++++++++++++
{
 name : 'CRL Distribution Points',
 type : 'mandatory',
 autogenerate : false,
 noncritical : {
   def : false,
   editable : false,
   visible : true,
   type : 'mandatory'
 },
 cRLDistPointsSyntax : {
   def : 1,
   min : 1,
   max : 10,
   visible : true,
   editable : true,
   type : 'mandatory',
   elements : [
     {
       editable : true,
       visible : true,
       type : 'optional',
       distributionPoint : {
         def : 'fullName',
         editable : true,
         visible : true,
         type : 'mandatory',
         value : {
           min : 1,
           max : 10,
           def : 1,
           editable : true,
           visible : true,
           elements : [
             {
               def : 'rfc822Name',
               editable : true,
               visible : true,
               type : 'mandatory',
               value : {
                 def : 'Administrator@your-domain.com',
                 editable : true,
                 visible : true,
                 type : 'mandatory',
                 validator : 'extCheckGenName(this)'
               }
             }
           ]
         }
       }
     },
     {
       editable : true,
       visible : true,
       type : 'optional',
       distributionPoint : {
         def : 'nameRelativeToCRLIssuer',
         editable : true,
         visible : true,
         type : 'mandatory',
         value : {
           min : 1,
           max : 10,
           def : 1,
           editable : true,
           visible : true,
           elements : [
             {
               oid : {
                 def : 'myOID',
                 editable : true,
                 visible : true,
                 type : 'mandatory'
               },
               type : {
                 def : 'myType',
                 editable : true,
                 visible : true,
                 type : 'mandatory'
               },
               value : {
                 def : 'MyValue',
                 editable : true,
                 visible : true,
                 type : 'mandatory'
               }
             }
           ]
         }
       }
     }
   ]
 }
}
+++++++++++++++ End of Script +++++++++++++++++


2. Remove the above text and replace with the following (excluding the Start/End markers). Remember to change the HTTP URL 'http://crl.xyz123.com/ca.crl' in the script below to the correct one.


+++++++++++++++ Start of Script +++++++++++++++++
{
name : 'CRL Distribution Points',
type : 'mandatory',
autogenerate : false,
critical : {
 def : false,
 editable : false,
 visible : false,
 type : 'mandatory'
},
cRLDistPointsSyntax : {
 def : 1,
 min : 1,
 max : 10,
 visible : false,
 editable : false,
 type : 'mandatory',
 elements : [
  {
   editable : false,
   visible : false,
   type : 'mandatory',
   distributionPoint : {
    def : 'fullName',
    editable : false,
    visible : false,
    type : 'mandatory',
    value : {
     min : 1,
     max : 10,
     def : 1,
     editable : false,
     visible : false,
     elements : [
      {
       def : 'uRI',
       editable : false,
       visible : false,
       type : 'mandatory',
       value : {
        def : 'http://crl.xyz123.com/ca.crl',
        editable : false,
        visible : false,
        type : 'mandatory',
        validator : 'extCheckGenName(this)'
       }
      }
     ]
    }
   }
  }
 ]
}
}
+++++++++++++++ End of Script +++++++++++++++++


3. Click Next and click Save to update the extension profile. All certificates issued through OneStep that use the above configured extension profile will include the custom CRLDP extension from this point forward.

NOTE: If you are testing this functionality and issuing certificates through the KCA Admin Interface (not through OneStep), close all browser windows and open a new browser window to connect to the KCA Admin interface. When vetting a certificate request, the administrator will need to click through a few pages before a certificate is issued; however, there will be no need to enter any data for the CRLDP extension.
Legacy Article IDa15990

Attachments

    Outcomes