Bug 34285 - Include CRL Distribution Points in Certificates
Include CRL Distribution Points in Certificates
Status: NEW
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.2
Other Linux
: P5 enhancement with 2 votes (vote)
: ---
Assigned To: UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-07 12:18 CET by Michael Grandjean
Modified: 2019-09-12 08:58 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments
Add crlDistributionPoints to certificates (902 bytes, patch)
2015-09-20 00:08 CEST, Michael Grandjean
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2014-03-07 12:18:09 CET
It is possible to include so-called "CRL distribution points" in Certificates. These contain an http or ldap URI pointing to the Certificate Revocation List (CRL):

https://www.openssl.org/docs/apps/x509v3_config.html#CRL_distribution_points_

Since we already provide the CRL via "http://<hostname>/ucsCA.crl" we should include this hint where to find the CRL also in the Certificate itself.
Comment 1 Michael Grandjean univentionstaff 2014-10-08 11:00:57 CEST
Requested again via Ticket#2014081121000159
Comment 2 Michael Grandjean univentionstaff 2014-11-07 21:20:51 CET
FYI: in the Baseline Requirements of the CA/Browser Forum, CRL distribution points are mandatory:

> cRLDistributionPoints
> This extension MUST be present and MUST NOT be marked critical. 
> It MUST contain the HTTP URL of the CA’s CRL service.

https://cabforum.org/baseline-requirements-documents/
Comment 3 Michael Grandjean univentionstaff 2015-09-20 00:08:49 CEST
Created attachment 7178 [details]
Add crlDistributionPoints to certificates
Comment 4 Florian Best univentionstaff 2017-06-28 14:52:59 CEST
There is a Customer ID set so I set the flag "Enterprise Customer affected".