000025242 - How to publish CRL to a specific format (PEM or DER) in RSA Keon Certificate Authority

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025242
Applies ToKeon Certificate Authority 6.5.1
IssueHow to publish CRL to a specific format (PEM or DER) in RSA Keon Certificate Authority
ResolutionDistinguished Encoding Rules (DER)

The Distinguished Encoding Rules (DER) are an ASN.1 encoding standard. DER encoding is used for signature calculation for end-entity certificates and revocation lists, that is CRLs, delta CRLs and ARLs.

Privacy Enhanced Mail (PEM) format

PEM was originally created to provide secure e-mail services on the Internet. It turned out to be too unwieldy for widespread use, and now ?PEM format? usually refers to the base64 encoding algorithm that was part of the PEM proposal. This encoding transforms arbitrary (8-bit) data into a format suitable for transmission through e-mail servers, some of which only understand 7-bit data.

Basically, PEM encoding is useful whenever binary data needs to be presented in a text-readable form; for example, to allow it to be copied and pasted between applications.

KCA will locally publish Certificate Revocation Lists to HTTP in PEM encoding. From KCA Administrator's Guide, page 235, review the section titled "Configuring CAs to Locally Publish Complete CRLs for HTTP Retrieval".

NOTE: The KCA does not publish to external HTTP Servers. Complete CRL's Delta CRL's and ARL's are all handled the same. For local HTTP-based complete CRL publishing, complete CRLs are published in DER format to a Web server virtual host called the CRL Server. The CRL Server is created when Keon CA is installed. The default port number for the CRL Server is 447, but the port number can be changed during installation. Certificate Revocations Lists will be locally published in DER encoding to LDAP.

KCA will locally publish Certificate Revocation Lists to LDAP in DER encoding. From KCA Administrator's Guide, page 237, review the section titled "Configuring CAs to Locally Publish Complete CRLs for LDAP Retrieval".

NOTE: The KCA publishes to external LDAP Servers in DER format also. Complete CRL's Delta CRL's and ARL's are all handled the same. For local LDAP-based complete CRL publishing, complete CRLs are published to the Secure Directory in DER format. The location of the complete CRL in the Secure Directory corresponds to the subject DN of the CA certificate for which complete CRL publishing has been enabled.
Legacy Article IDa28236

Attachments

    Outcomes