Hi,
We also welcome feedback to our documentation:
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide/index#CRL_Distribution_Points_Extension_Default

thanks,
Christina

On Mon, Jun 17, 2019 at 6:40 AM Fraser Tweedale <ftweedal@redhat.com> wrote:
On Mon, Jun 17, 2019 at 12:30:22PM +0000, Goeman, Stefan wrote:
> Hello,
>
> Is it possible with the dogtag PKI to issue certificates have contain a CRL Distribution Point certificate extension?
> I would like to work with a CRL web server, instead of using OCSP.
>
> Much thanks in advance for your feedback!
>
> Greetings,
> Stefan Goeman
>
Hi Stefan,

Yes, Dogtag supports CRL Distribution Point extension.  Example
profile configuration:

policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://example.com/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=

Hope that helps!
Fraser

_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users