<div dir="ltr"><div>Hi,</div><div>We also welcome feedback to our documentation:</div><div><a href="https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide/index#CRL_Distribution_Points_Extension_Default">https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide/index#CRL_Distribution_Points_Extension_Default</a></div><div><br></div><div>thanks,</div><div>Christina<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 17, 2019 at 6:40 AM Fraser Tweedale <<a href="mailto:ftweedal@redhat.com">ftweedal@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Jun 17, 2019 at 12:30:22PM +0000, Goeman, Stefan wrote:<br>
> Hello,<br>
> <br>
> Is it possible with the dogtag PKI to issue certificates have contain a CRL Distribution Point certificate extension?<br>
> I would like to work with a CRL web server, instead of using OCSP.<br>
> <br>
> Much thanks in advance for your feedback!<br>
> <br>
> Greetings,<br>
> Stefan Goeman<br>
> <br>
Hi Stefan,<br>
<br>
Yes, Dogtag supports CRL Distribution Point extension.  Example<br>
profile configuration:<br>
<br>
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl<br>
<a href="http://policyset.serverCertSet.9.constraint.name" rel="noreferrer" target="_blank">policyset.serverCertSet.9.constraint.name</a>=No Constraint<br>
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl<br>
<a href="http://policyset.serverCertSet.9.default.name" rel="noreferrer" target="_blank">policyset.serverCertSet.9.default.name</a>=CRL Distribution Points Extension Default<br>
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false<br>
policyset.serverCertSet.9.default.params.crlDistPointsNum=1<br>
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true<br>
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca<br>
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName<br>
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=<a href="http://example.com/ipa/crl/MasterCRL.bin" rel="noreferrer" target="_blank">http://example.com/ipa/crl/MasterCRL.bin</a><br>
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName<br>
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=<br>
<br>
Hope that helps!<br>
Fraser<br>
<br>
_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
</blockquote></div>