PKI CA CRL Extension: "Inlcude in all CRLs"

Reinhard Henke · Mar 8, 2008

"Include in all CRLs. Specifies where to publish in the Active Directory
when publishing manually"

This option in the Extension list of the CA properties is named a little
bit incomprehensible for me.

Even though the CRL publishing properties are described in detail at
Mircosoft:

http://technet2.microsoft.com/windo...80f0-4cf0-bc8e-d8e055ce26491033.mspx?mfr=true

What exactly does this option? As far as I understand, it is used for
offline CAs, to manually publish CRLs in the Active Directory but
exactly why and how?

Where is the difference between "Include in all CRLs" and "Include in
the CDP extension of issued certificates".? As far as I understood,
these options just control if the CRLs are to be published at the
specified location and/or if they are to be included in the certificates.

MS describes this option with "The Include in all CRLs flag specifies
that the Active Directory publication location should be included in the
CRL itself.". Does this mean in the CDP extension of the certificate - I
don't believe that, as there's still another option for that. Much
confusion here...

Thanks in advance for throwing some light on it..

Reinhard

Brian Komar \(MVP\) · Mar 8, 2008

You are over analyzing the options <G>.
- "Include in all CRLs. Means, include this URL in all *CRLs* issued by the
CA.
- "Include in the CDP extension of issued certificates", include this URL in
the CDP extension of all *certificates* issued by the CA.
The idea of including it in the CRL is that if the client has a CRL that has
expired, the CRL contains a hint on where to obtain an updated CRL. If delta
CRLs are enabled, the Freshest CRL option is included in the CRL, providing
details on where to obtain an updated delta CRL.
Brian

"Reinhard Henke" <r.henke-@-sofortsurf.de> wrote in message
news:fqu3g8$kdf$1@online.de...
> "Include in all CRLs. Specifies where to publish in the Active Directory
> when publishing manually"
>
> This option in the Extension list of the CA properties is named a little
> bit incomprehensible for me.
>
> Even though the CRL publishing properties are described in detail at
> Mircosoft:
>
> http://technet2.microsoft.com/windo...80f0-4cf0-bc8e-d8e055ce26491033.mspx?mfr=true
>
> What exactly does this option? As far as I understand, it is used for
> offline CAs, to manually publish CRLs in the Active Directory but exactly
> why and how?
>
> Where is the difference between "Include in all CRLs" and "Include in the
> CDP extension of issued certificates".? As far as I understood, these
> options just control if the CRLs are to be published at the specified
> location and/or if they are to be included in the certificates.
>
> MS describes this option with "The Include in all CRLs flag specifies that
> the Active Directory publication location should be included in the CRL
> itself.". Does this mean in the CDP extension of the certificate - I don't
> believe that, as there's still another option for that. Much confusion
> here...
>
> Thanks in advance for throwing some light on it..
>
> Reinhard

Reinhard Henke · Mar 8, 2008

Thank you for throwing light on this, Brian. You're right, I'm still
trying to understand the whole concept and digging through tons of
documentation...

However, I'm still wondering, why the system wouldn't just refer to the
URL in the CDP extension of the certificate to get an updated copy of
the CRLs.

Is storing the URLs in the CRLs lastly thought to provide *updated*
hints to the CRLs? Just an arrangement for the case that the URL stored
in the CDP of the certificate should become unavailable or needs to be
changed?

Thanks,
Reinhard

Brian Komar (MVP) wrote:
> You are over analyzing the options <G>.
> - "Include in all CRLs. Means, include this URL in all *CRLs* issued by
> the CA.
> - "Include in the CDP extension of issued certificates", include this
> URL in the CDP extension of all *certificates* issued by the CA.
> The idea of including it in the CRL is that if the client has a CRL that
> has expired, the CRL contains a hint on where to obtain an updated CRL.
> If delta CRLs are enabled, the Freshest CRL option is included in the
> CRL, providing details on where to obtain an updated delta CRL.
> Brian
>
> "Reinhard Henke" <r.henke-@-sofortsurf.de> wrote in message
> news:fqu3g8$kdf$1@online.de...
>> "Include in all CRLs. Specifies where to publish in the Active
>> Directory when publishing manually"
>>
>> This option in the Extension list of the CA properties is named a
>> little bit incomprehensible for me.
>>
>> Even though the CRL publishing properties are described in detail at
>> Mircosoft:
>>
>> http://technet2.microsoft.com/windo...80f0-4cf0-bc8e-d8e055ce26491033.mspx?mfr=true
>>
>>
>> What exactly does this option? As far as I understand, it is used for
>> offline CAs, to manually publish CRLs in the Active Directory but
>> exactly why and how?
>>
>> Where is the difference between "Include in all CRLs" and "Include in
>> the CDP extension of issued certificates".? As far as I understood,
>> these options just control if the CRLs are to be published at the
>> specified location and/or if they are to be included in the certificates.
>>
>> MS describes this option with "The Include in all CRLs flag specifies
>> that the Active Directory publication location should be included in
>> the CRL itself.". Does this mean in the CDP extension of the
>> certificate - I don't believe that, as there's still another option
>> for that. Much confusion here...
>>
>> Thanks in advance for throwing some light on it..
>>
>> Reinhard
>

PKI CA CRL Extension: "Inlcude in all CRLs"

Reinhard Henke

Brian Komar \(MVP\)

Reinhard Henke

Similar threads