Basic and standard CRL policies
The basic and standard CRL policies support the same fields and extensions.
The supported fields for these policies are as follows:
- OuterSigAlgID 1
- Signature 2
- Version
- InnerSigAlgID 3
- Issuer
- ThisUpdate
- NextUpdate
- RevokedCertificate
- UserCertificate
- RevocationDate
There are no supported CRLEntry extensions.
The supported CRL extensions for these policies are as follows. Where an entry is marked as "not supported", IBM MQ does not attempt to process extensions containing a field of that specific type, but does process other types of the same extension.
- AuthorityKeyID
- IssuerAltName
- CRLNumber
- IssuingDistributionPoint
- DistributionPoint
- DistributionPointName
- FullName (X.500 Name and LDAP Format URI only)
- NameRelativeToCRLIssuer (not supported)
- Reasons (ignored)
- CRLIssuer
- OnlyContainsUserCerts (not supported)
- OnlyContainsCACerts (not supported)
- OnlySomeReasons (not supported)
- IndirectCRL 4 (rejected)
Parent topic: Certificate validation and trust policy design on UNIX, Linux and Windows systems 1 This field is called signatureAlgorithm in RFC 5280.2 This field is called signatureValue in RFC 5280.3 This field is called signature in RFC 5280.4 IndirectCRL extensions will result in CRL validation failing. IndirectCRL extensions must not be used because they cause identified certificates to not be rejected.