Partager via


3.1.1.4.1 CRL Table Required Data Elements

If the CA maintains a CRL table, values for the following elements of the CRL table MUST be maintained:

CRL_Row_Id: Column name "CRLRowId". The unique identifier for the CRL in the table.

CRL_Name_Id: Column name "CRLNameId". The sequential number that indicates which CA key the CRL is for. For example, if a CA certificate has been renewed with a new key three times and the CA issues a CRL for each key, the CRL_Name_Id field can be used to distinguish each of the four issued CRLs.

CRL_Raw_CRL: Column name "CRLRawCRL". The CRL that was issued.

CRL_Min_Base: Column name "CRLMinBase". The CRL_Number of the CRL, complete for a given scope, that was used as the starting point in the generation of this delta CRL.

If the value is 0, the CRL is a base CRL.

If the value is not 0, the CRL is a delta CRL.

CRL_Publish_Status_Code: Column name "CRLPublishStatusCode". An informational field that identifies whether the CA was able to publish the CRL to locations external to the CA server.

If the CRL was published successfully, this field contains 0. Otherwise, the field contains the return code from the first CRL publishing location to which publishing failed, following the last publishing attempt for the CRL. Common error codes are as specified in section 2.2.5; other error values are specified in [MS-ERREF].

CRL_This_Publish: Column name "CRLThisPublish". The CERTTIME at which a CRL is first created and published.

CRL_Propagation_Complete: Column name "CRLPropagationComplete". The estimated CERTTIME when the CRL is expected to have propagated to all servers after publishing. This data element is updated when a CRL is created and is used when creating a delta CRL. The delta CRL is based on the last base CRL that completely propagated.

CRL_Number: Column name "CRLNumber". The sequential number that is incremented each time a new base CRL is created. If the CA creates a single base CRL for multiple CA keys, the CRLs for all the associated CA keys have the same CRL number.

CRL_Count: Column name "CRLCount". The count of CRL entries in the CRL.

CRL_This_Update: Column name "CRLThisUpdate". The CERTTIME that provides the value of the thisUpdate field of the CRL. This value is also used to restrict the selection of revoked certificates whose serial numbers will be included on a delta CRL as specified in section 3.1.4.1.6.

CRL_Next_Update: Column name "CRLNextUpdate". The CERTTIME that provides the value of the nextUpdate field of the CRL.

CRL_Next_Publish: Column name "CRLNextPublish". The CERTTIME that provides the value of the nextPublish extension of the CRL.

CRL_Publish_Flags: Column name "CRLPublishFlags". Additional CRL information that was sent to the PublishCRLs method or returned from attempts to publish CRLs.

For the CRL_Publish_Flags element, the following values are defined:

Flag

Value

CPF_BASE

0x1 – A base CRL.

CPF_DELTA

0x2 – A delta CRL.

CPF_COMPLETE

0x4 – The CRL published successfully.

CPF_MANUAL

0x40 – The caller who initiated the generation of the CRL (via the PublishCRLs method) was running as an interactive user and was not launched by a timer on the CA.

CPF_SHADOW

0x8 – A blank delta CRL with new delta CRL indicator extension (CRL_Min_Base value). When delta CRLs have just been disabled (Config_Delta_CRL_Validity_Period has just been set to 0), the CA publishes this type of CRL to force clients to retrieve a new base CRL.

CPF_BADURL_ERROR

0x20 – A URI that does not meet the format requirements specified in section 3.1.1.8 for Config_CA_CDP_Publish_To_Base and Config_CA_CDP_Publish_To_Delta was encountered during publishing of the CRL.

CPF_FILE_ERROR

0x200 – A file URI that does not meet the format requirements specified in section 3.1.1.8 for Config_CA_CDP_Publish_To_Base and Config_CA_CDP_Publish_To_Delta for a file location was encountered during publishing of the CRL, or the CA encountered an error trying to write the CRL to a file location.

CPF_HTTP_ERROR

0x800 – An HTTP URI was encountered during publishing of the CRL.

The Windows CA does not write to http:// locations, so any http:// CRL publish attempt will cause this flag.

CPF_FTP_ERROR

0x400 – An FTP URI was encountered during publishing of the CRL.

The Windows CA does not write to ftp:// locations, so any ftp:// CRL publish attempt will cause this flag.

CPF_LDAP_ERROR

0x100 –The CA encountered an error trying to write the CRL to an LDAP location.

CPF_POSTPONED_BASE_LDAP_ERROR

0x1000 – Postponed publishing a delta CRL due to a failure in publishing a base CRL to an ldap:/// location.

For example, the Microsoft CA sends this flag with a call to publish a delta CRL when the corresponding base CRL could not be published to an LDAP location because of an error.

CPF_POSTPONED_BASE_FILE_ERROR

0x2000 – Postponed publishing a delta CRL due to a failure in publishing a base CRL to a file:// location.

For example, the Microsoft CA sends this flag with a call to publish a delta CRL when the corresponding base CRL could not be published to a FILE location because of an error.

CPF_SIGNATURE_ERROR

0x80 – An error occurred when verifying the signature of the generated CRL prior to attempting to publish the CRL.

CPF_CASTORE_ERROR

0x10 – An error occurred when publishing the generated CRL to the default local registry location.