Freigeben über


3.2.1.4.1.3 Retrieving CRLs

The CA uses the cRLDistributionPoints extension (specified in [RFC3280] section 4.2.1.14) of the ParameterCertificate parameter to retrieve CRLs. The CA MUST be able to retrieve the CRLs that are published using HTTP [RFC2616] or LDAP [RFC2251]. The CA SHOULD NOT support retrieving CRLs that are published using FTP [RFC959].

Input parameter: None.

ParameterCertificate: The certificate for which the CRL needs to be retrieved.

Output parameter: None.

ParameterCRL: The retrieved CRL

Processing rules:

The CA MUST obtain the CRLs in the following manner:

If the cRLDistributionPoints extension has multiple DistributionPoints, retrieve the CRLs from the cRLDistributionPoints in the order in which they are encoded in the extension. For each DistributionPoint, obtain CRLs by using cRLDistributionPoints extension, as specified in [RFC3280] section 4.2.1.14, of the certificate passed in the ParameterCertificate parameter to retrieve CRLs as follows:

  1. If the URL in cRLDistributionPoints extension is an LDAP URL:

    1. The CA SHOULD follow the processing rules in section 3.2.1.4.1.3.1 for retrieving CRLs.

    2. If the retrieval attempt is successful from the current DistributionPoint, set the ParameterCRL output parameter to the retrieved CRL and exit.

    3. If the retrieval is not successful, move to the next DistributionPoints.

  2. If the URL in cRLDistributionPoints extension is an HTTP URL:

    1. The CA MUST initialize the CRL retrieval timer to 15 seconds.

    2. The CA MUST follow the processing rules in [RFC2616] for retrieval.

    3. If the retrieval attempt is successful from the current DistributionPoint, set the ParameterCRL output parameter to the retrieved CRL, cancel the CRL retrieval timer, and exit.

    4. If the retrieval is not successful, move to the next DistributionPoints component, cancel the CRL retrieval timer, and go to step 1.

    5. If the CRL retrieval timer times out before retrieving the CRL from the current DistributionPoint, move to the next DistributionPoint component of the cRLDistributionPoints extension.

  3. If all DistributionPoints components in cRLDistributionPoints extension have been examined, return empty as the ParameterCRL output parameter and exit.