Who checks the X.509 CRL and where I have to define the CRL distribution point ?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Hi folks,

I'd like to build up a hierarchical PKI or a small organization. In
the past I used only a flat PKI structure without a CRL. Now I'd like
to have a 3 layer structure:

One Root Certificate, which signs only sub CAs. These SubCAs on layer
2 should sign user certificates und server certificates (layer 3).

In this concept it makes sense to use Certificate Revocation Lists
(CRL). The creation of the  Revocation Lists is not my problem. Also
not making X.509-CRL available on the web.

My problem is: in which certificate I have to store the "CRL
distribution point" link?  In the root certificate I point to the
rootCA CRL.  In the sub CA I have to point to what? To the rootCA CRL-Link
or to the SubCA CRL-Link And should I store the CRL-Link of the issuere CA
in the user/server certs?

I played with several variants. I found out that my mailprogram and
the IE don't check the given URL to the CRL.

Please, can one of you give me a hint?

Thanks Reiner

Site Timeline