CRL Distribution Points

A Certificate Revocation List Distribution Point (CRL DP) is a URL that hosts a downloadable CRL file containing a list of certificates revoked by a CA. CRLs are published by CAs and are periodically refreshed and kept up-to-date by CAs.

The following types of certificates carry CRL DP information for the signing CA:
  • Intermediate CA certificate

  • CA-signed leaf level certificate

NOTE:

The CRL DP information found in a certificate is for the CA that has issued the certificate. Root CA certificates do not carry any revocation information.

To upload a CRL for a CA to HPE OneView, locate the DP information from any certificate signed by that CA from the CRL DP URL. Download the CRL, edit the CA certificate and then upload the CRL for the CA. An example is provided below:

  1. To locate the CRL DP for the pre-bundled Verisign Universal Root Certification Authority certificate, look for the CRL Distribution Points attribute in the certificate issued by this CA. In this case, look at the Symantec Class 3 Secure Server SHA256 SSL CA certificate that has been issued by the Verisign CA. This intermediate CA certificate contains the CRL DP for the Verisign CA certificate. The CRL DP is set to http://crl.ws.symantec.com/universal-root.crl.

  2. Download the CRL from http://crl.ws.symantec.com/universal-root.crl.

  3. Upload the CRL file against the Verisign Universal Root Certification Authority root CA using the edit option in the Settings > Secuirty Certificates > Manage Certificates screen.