Large CRLs present a challenge both to issue and to validate.
RFC 3280 allows the partitioning of CRLs by "scope" (§5 - CRL and CRL Extensions Profile):
Each CRL has a particular scope. The CRL scope is the set of
certificates that could appear on a given CRL. For example, the
scope could be "all certificates issued by CA X", "all CA
certificates issued by CA X", "all certificates issued by CA X that
have been revoked for reasons of key compromise and CA compromise",
or could be a set of certificates based on arbitrary local
information, such as "all certificates issued to the NIST employees
located in Boulder".
A very nice and useful feature to deal with large CRLs would be to allow the definition of a such a scope by "number of issued certificates". The key idea is to change the CRL distribution point (CDP) at each configurable X issued certificates. For each scoped CDP, a smaller CRL must be issued for the certificates within that scope.
Example on Admin GUI:
CRL Distribution Point (use X for any partition digits): http://www.myejbca.org/crl/ca-01-XXX.crl
Use CRL partition: [x]
By number of issued certificates: [x]
Number of issued certificates: 25000
Then, for the first 25000 certificate issued, EJBCA would set the CDP on the certificates as http://www.myejbca.org/crl/ca-01-001.crl, for the next 25000 CDP would be http://www.myejbca.org/crl/ca-01-002.crl and so on.
According to RFC 3280, each of this partitions has its own numbering sequence, as defined in §5.2.3 - CRL Number:
The CRL number is a non-critical CRL extension which conveys a
monotonically increasing sequence number for a given CRL scope and
CRL issuer. This extension allows users to easily determine when a
particular CRL supersedes another CRL. CRL numbers also support the
identification of complementary complete CRLs and delta CRLs. CRL
issuers conforming to this profile MUST include this extension in all
It is important to notice that a certificate can not move around partitions during its lifetime.