Univention Bugzilla – Bug 34285
Include CRL Distribution Points in Certificates
Last modified: 2020-07-03 20:55:52 CEST
It is possible to include so-called "CRL distribution points" in Certificates. These contain an http or ldap URI pointing to the Certificate Revocation List (CRL): https://www.openssl.org/docs/apps/x509v3_config.html#CRL_distribution_points_ Since we already provide the CRL via "http://<hostname>/ucsCA.crl" we should include this hint where to find the CRL also in the Certificate itself.
Requested again via Ticket#2014081121000159
FYI: in the Baseline Requirements of the CA/Browser Forum, CRL distribution points are mandatory: > cRLDistributionPoints > This extension MUST be present and MUST NOT be marked critical. > It MUST contain the HTTP URL of the CA’s CRL service. https://cabforum.org/baseline-requirements-documents/
Created attachment 7178 [details] Add crlDistributionPoints to certificates
There is a Customer ID set so I set the flag "Enterprise Customer affected".
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.