CRL Update

From Dogtag
Jump to: navigation, search

Configuration

CRL updates are configurable through CA's console:

Crl-schedules.png


Enable CRL generation

This flag allows to enable or disable CRL generation for the specific CRL issuing point.


Generate full CRL every N deltas

Here a sample of CRL updates where full CRL is generated every 3 deltas:

 CRL Updates   1   2   3   4   5   6   7   8   9   10 
 Full CRL  +       +       +       + 
 Delta CRL  +   +   +   +   +   +   +   +   +   + 


Extend next update time in full CRLs

If selected, nextUpdate in currently generated full CRL points to the next time in which full CRL will be generated, otherwise nextUpdate points to the immediately following CRL generation, which may create delta CRL only.

See definition of nextUpdate in RFC 5280:

   CertificateList  ::=  SEQUENCE  {
        tbsCertList          TBSCertList,
        signatureAlgorithm   AlgorithmIdentifier,
        signatureValue       BIT STRING  }

   TBSCertList  ::=  SEQUENCE  {
        version                 Version OPTIONAL,
                                     -- if present, MUST be v2
        signature               AlgorithmIdentifier,
        issuer                  Name,
        thisUpdate              Time,
        nextUpdate              Time OPTIONAL,
        revokedCertificates     SEQUENCE OF SEQUENCE  {
             userCertificate         CertificateSerialNumber,
             revocationDate          Time,
             crlEntryExtensions      Extensions OPTIONAL
                                      -- if present, version MUST be v2
                                  }  OPTIONAL,
        crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
                                      -- if present, version MUST be v2
                                  }


Update CRL every N minutes

This option provide option to generate CRLs every N minutes. Note that manual CRL updates or CA restarts may cause schedule drifting.
The following sample configuration will generate every 4 hours (counting form the last update).

Crl-updates-1.png


Combination of CRL generation every N minutes with daily starting time (provided through Update CRL at entry field]), prevents schedule drifting.
The following sample configuration will generate every 4 hours starting from 1:00 am (1:00am, 5:00am, 9:00am, 1:00pm, 5:00pm, 9:00pm).

Crl-updates.png


Update CRL at

Starting time
This option was initially provided as a way to avoid schedule drifting associated with CRL updates performed every N minutes by starting updates from the same time each day. Time precision is in minutes, which implies the following time format: hh:mm.
Daily update list
Daily update list replaced starting time as improvement allowing for CRL updates to be performed at exactly the same times each day. Time list was built as a list of time separated by commas: t1, t2, t3,..., tn, where ti < tj for i < j.
Note:
Update list for multiple days
Update list were extended to multiple days due to the request 512496. Update list for multiple days is built by combining multiple daily list separated by semicolons: d1; d2; d3;...; dn.
Crl-updates-2.png
Sample update lists:
  • 0:10,0:15,23:57,23:58,23:59;0:01,0:02,0:03; - includes schedule for 3 days
    • day 1 includes CRL updates at 0:10, 0:15, 23:57, 23:58, and 23:59
    • day 2 includes CRL updates at 0:01, 0:02, and 0:03
    • day 3 includes no CRL updates
  • 1:05,21:20; 3:07;;4:06,16:12,22:07; - includes schedule for 5 days
    • day 1 includes CRL updates at 1:05 and 21:20
    • day 2 includes CRL update at 3:07
    • day 3 includes no CRL updates
    • day 4 includes CRL updates at 4:06, 16:12, and 22:07
    • day 5 includes no CRL updates
Update list for multiple days specifying full CRL generation times
Update list is enhanced to point when full CRL will be generated by adding optional * to the time format, where * will indicate time in the update list at which full CRL will be generated.
Note: Update list with specified full CRL generations will ignore generation of full CRLs every N deltas.
Crl-schedules.png
Sample update lists:
  • 0:10,*0:15,23:57,*23:58,*23:59;0:01,*0:02,0:03; - includes schedule for 3 days
    • day 1 includes CRL updates at 0:10, 0:15, 23:57, 23:58, and 23:59 but full CRLs are generated at 0:15, 23:58, and 23:59
    • day 2 includes CRL updates at 0:01, 0:02, and 0:03 but full CRL is generated at 0:02
    • day 3 includes no CRL updates


General Rules

  • Lazy CRL updates: the basic rule is to not generate CRL if CA owns CRL with nextUpdate higher than current time.
  • Forcing manual CRL update can be used to avoid lazy CRL schedule synchronization.

References