Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-961

Partitioning of large CRLs by number of issued certificates



      Large CRLs present a challenge both to issue and to validate.

      RFC 3280 allows the partitioning of CRLs by "scope" (§5 - CRL and CRL Extensions Profile):

      Each CRL has a particular scope. The CRL scope is the set of
      certificates that could appear on a given CRL. For example, the
      scope could be "all certificates issued by CA X", "all CA
      certificates issued by CA X", "all certificates issued by CA X that
      have been revoked for reasons of key compromise and CA compromise",
      or could be a set of certificates based on arbitrary local
      information, such as "all certificates issued to the NIST employees
      located in Boulder".

      A very nice and useful feature to deal with large CRLs would be to allow the definition of a such a scope by "number of issued certificates". The key idea is to change the CRL distribution point (CDP) at each configurable X issued certificates. For each scoped CDP, a smaller CRL must be issued for the certificates within that scope.

      Example on Admin GUI:

      CRL Distribution Point (use X for any partition digits): http://www.myejbca.org/crl/ca-01-XXX.crl

      Use CRL partition: [x]
      By number of issued certificates: [x]
      Number of issued certificates: 25000

      Then, for the first 25000 certificate issued, EJBCA would set the CDP on the certificates as http://www.myejbca.org/crl/ca-01-001.crl, for the next 25000 CDP would be http://www.myejbca.org/crl/ca-01-002.crl and so on.

      According to RFC 3280, each of this partitions has its own numbering sequence, as defined in §5.2.3 - CRL Number:

      The CRL number is a non-critical CRL extension which conveys a
      monotonically increasing sequence number for a given CRL scope and
      CRL issuer. This extension allows users to easily determine when a
      particular CRL supersedes another CRL. CRL numbers also support the
      identification of complementary complete CRLs and delta CRLs. CRL
      issuers conforming to this profile MUST include this extension in all

      It is important to notice that a certificate can not move around partitions during its lifetime.




            nponte Nuno Ponte
            0 Vote for this issue
            4 Start watching this issue