世界杯进球最多
2025-11-29 02:22:02

7.3.8.1.4. 为通过配置集发布的证书设置 CRL-partitioning复制链接链接已复制到粘贴板!

本节中的配置演示了如何将 CRL 分区到上面定义的 FileCrlRule 中使用的一个较小的子集。CRL 由在 profileList 参数中指定的证书注册配置文件进行分区。以逗号分隔的列表可用于多个配置集(例如,caCMCserverCertWithCRLDP.cfg 和 caCMCECserverCertWithCRLDP.cfg)。

在 CA 的 CS.cfg 中添加以下内容:

ca.crl.ServerCertCRL.allowExtensions=true

ca.crl.ServerCertCRL.alwaysUpdate=false

ca.crl.ServerCertCRL.autoUpdateInterval=240

ca.crl.ServerCertCRL.caCertsOnly=false

ca.crl.ServerCertCRL.cacheUpdateInterval=15

ca.crl.ServerCertCRL.class=com.netscape.ca.CRLIssuingPoint

ca.crl.ServerCertCRL.dailyUpdates=1:00

ca.crl.ServerCertCRL.description=CA's Certificate Revocation List containing certificates issued via the caCMCserverCertWithCRLDP and caCMCECserverCertWithCRLDP enrollment profile

ca.crl.ServerCertCRL.enable=true

ca.crl.ServerCertCRL.enableCRLCache=false

ca.crl.ServerCertCRL.enableCRLUpdates=true

ca.crl.ServerCertCRL.enableCacheRecovery=true

ca.crl.ServerCertCRL.enableCacheTesting=false

ca.crl.ServerCertCRL.enableDailyUpdates=true

ca.crl.ServerCertCRL.enableUpdateInterval=true

ca.crl.ServerCertCRL.extendedNextUpdate=true

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.accessLocation0=""

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.accessLocationType0=URI

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.accessMethod0=caIssuers

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.class=com.netscape.cms.crl.CMSAuthInfoAccessExtension

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.critical=false

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.enable=false

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions=1

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.type=CRLExtension

ca.crl.ServerCertCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension

ca.crl.ServerCertCRL.extension.AuthorityKeyIdentifier.critical=false

ca.crl.ServerCertCRL.extension.AuthorityKeyIdentifier.enable=false

ca.crl.ServerCertCRL.extension.AuthorityKeyIdentifier.type=CRLExtension

ca.crl.ServerCertCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension

ca.crl.ServerCertCRL.extension.CRLNumber.critical=false

ca.crl.ServerCertCRL.extension.CRLNumber.enable=true

ca.crl.ServerCertCRL.extension.CRLNumber.type=CRLExtension

ca.crl.ServerCertCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension

ca.crl.ServerCertCRL.extension.CRLReason.critical=false

ca.crl.ServerCertCRL.extension.CRLReason.enable=true

ca.crl.ServerCertCRL.extension.CRLReason.type=CRLEntryExtension

ca.crl.ServerCertCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension

ca.crl.ServerCertCRL.extension.DeltaCRLIndicator.critical=true

ca.crl.ServerCertCRL.extension.DeltaCRLIndicator.enable=false

ca.crl.ServerCertCRL.extension.DeltaCRLIndicator.type=CRLExtension

ca.crl.ServerCertCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension

ca.crl.ServerCertCRL.extension.FreshestCRL.critical=false

ca.crl.ServerCertCRL.extension.FreshestCRL.enable=false

ca.crl.ServerCertCRL.extension.FreshestCRL.numPoints=0

ca.crl.ServerCertCRL.extension.FreshestCRL.pointName0=""

ca.crl.ServerCertCRL.extension.FreshestCRL.pointType0=""

ca.crl.ServerCertCRL.extension.FreshestCRL.type=CRLExtension

ca.crl.ServerCertCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension

ca.crl.ServerCertCRL.extension.InvalidityDate.critical=false

ca.crl.ServerCertCRL.extension.InvalidityDate.enable=true

ca.crl.ServerCertCRL.extension.InvalidityDate.type=CRLEntryExtension

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.critical=false

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.enable=false

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.name0=""

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.nameType0=""

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.numNames=0

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.type=CRLExtension

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.critical=true

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.enable=false

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.indirectCRL=false

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.onlySomeReasons=""

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.pointName=

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.pointType=

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.type=CRLExtension

ca.crl.ServerCertCRL.includeExpiredCerts=false

ca.crl.ServerCertCRL.includeExpiredCertsOneExtraTime=false

ca.crl.ServerCertCRL.minUpdateInterval=0

ca.crl.ServerCertCRL.nextAsThisUpdateExtension=0

ca.crl.ServerCertCRL.nextUpdateGracePeriod=0

ca.crl.ServerCertCRL.profileCertsOnly=true

ca.crl.ServerCertCRL.profileList=caCMCserverCertWithCRLDP,caCMCECserverCertWithCRLDP

ca.crl.ServerCertCRL.publishOnStart=false

ca.crl.ServerCertCRL.saveMemory=false

ca.crl.ServerCertCRL.signingAlgorithm=SHA256withRSA

ca.crl.ServerCertCRL.updateSchema=1

ca.crl.ServerCertCRL.allowExtensions=true

ca.crl.ServerCertCRL.alwaysUpdate=false

ca.crl.ServerCertCRL.autoUpdateInterval=240

ca.crl.ServerCertCRL.caCertsOnly=false

ca.crl.ServerCertCRL.cacheUpdateInterval=15

ca.crl.ServerCertCRL.class=com.netscape.ca.CRLIssuingPoint

ca.crl.ServerCertCRL.dailyUpdates=1:00

ca.crl.ServerCertCRL.description=CA's Certificate Revocation List containing certificates issued via the caCMCserverCertWithCRLDP and caCMCECserverCertWithCRLDP enrollment profile

ca.crl.ServerCertCRL.enable=true

ca.crl.ServerCertCRL.enableCRLCache=false

ca.crl.ServerCertCRL.enableCRLUpdates=true

ca.crl.ServerCertCRL.enableCacheRecovery=true

ca.crl.ServerCertCRL.enableCacheTesting=false

ca.crl.ServerCertCRL.enableDailyUpdates=true

ca.crl.ServerCertCRL.enableUpdateInterval=true

ca.crl.ServerCertCRL.extendedNextUpdate=true

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.accessLocation0=""

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.accessLocationType0=URI

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.accessMethod0=caIssuers

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.class=com.netscape.cms.crl.CMSAuthInfoAccessExtension

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.critical=false

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.enable=false

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions=1

ca.crl.ServerCertCRL.extension.AuthorityInformationAccess.type=CRLExtension

ca.crl.ServerCertCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension

ca.crl.ServerCertCRL.extension.AuthorityKeyIdentifier.critical=false

ca.crl.ServerCertCRL.extension.AuthorityKeyIdentifier.enable=false

ca.crl.ServerCertCRL.extension.AuthorityKeyIdentifier.type=CRLExtension

ca.crl.ServerCertCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension

ca.crl.ServerCertCRL.extension.CRLNumber.critical=false

ca.crl.ServerCertCRL.extension.CRLNumber.enable=true

ca.crl.ServerCertCRL.extension.CRLNumber.type=CRLExtension

ca.crl.ServerCertCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension

ca.crl.ServerCertCRL.extension.CRLReason.critical=false

ca.crl.ServerCertCRL.extension.CRLReason.enable=true

ca.crl.ServerCertCRL.extension.CRLReason.type=CRLEntryExtension

ca.crl.ServerCertCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension

ca.crl.ServerCertCRL.extension.DeltaCRLIndicator.critical=true

ca.crl.ServerCertCRL.extension.DeltaCRLIndicator.enable=false

ca.crl.ServerCertCRL.extension.DeltaCRLIndicator.type=CRLExtension

ca.crl.ServerCertCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension

ca.crl.ServerCertCRL.extension.FreshestCRL.critical=false

ca.crl.ServerCertCRL.extension.FreshestCRL.enable=false

ca.crl.ServerCertCRL.extension.FreshestCRL.numPoints=0

ca.crl.ServerCertCRL.extension.FreshestCRL.pointName0=""

ca.crl.ServerCertCRL.extension.FreshestCRL.pointType0=""

ca.crl.ServerCertCRL.extension.FreshestCRL.type=CRLExtension

ca.crl.ServerCertCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension

ca.crl.ServerCertCRL.extension.InvalidityDate.critical=false

ca.crl.ServerCertCRL.extension.InvalidityDate.enable=true

ca.crl.ServerCertCRL.extension.InvalidityDate.type=CRLEntryExtension

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.critical=false

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.enable=false

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.name0=""

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.nameType0=""

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.numNames=0

ca.crl.ServerCertCRL.extension.IssuerAlternativeName.type=CRLExtension

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.critical=true

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.enable=false

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.indirectCRL=false

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.onlySomeReasons=""

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.pointName=

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.pointType=

ca.crl.ServerCertCRL.extension.IssuingDistributionPoint.type=CRLExtension

ca.crl.ServerCertCRL.includeExpiredCerts=false

ca.crl.ServerCertCRL.includeExpiredCertsOneExtraTime=false

ca.crl.ServerCertCRL.minUpdateInterval=0

ca.crl.ServerCertCRL.nextAsThisUpdateExtension=0

ca.crl.ServerCertCRL.nextUpdateGracePeriod=0

ca.crl.ServerCertCRL.profileCertsOnly=true

ca.crl.ServerCertCRL.profileList=caCMCserverCertWithCRLDP,caCMCECserverCertWithCRLDP

ca.crl.ServerCertCRL.publishOnStart=false

ca.crl.ServerCertCRL.saveMemory=false

ca.crl.ServerCertCRL.signingAlgorithm=SHA256withRSA

ca.crl.ServerCertCRL.updateSchema=1

Copy to Clipboard

Copied!

Toggle word wrap

Toggle overflow

注意

对于 ECC CA,将以下内容设置为 SHA512withEC :

ca.crl.ServerCertCRL.signingAlgorithm=SHA512withEC

ca.crl.ServerCertCRL.signingAlgorithm=SHA512withEC

Copy to Clipboard

Copied!

Toggle word wrap

Toggle overflow