Friday, July 22, 2011

RPKI CRLs

Each engine (rpki instance with a certificate) is expected to maintain an update to date CRL that is generated at regular intervals. The CRL records any keys revoked due to product expiry or security incidences. Each certificate points to it's parent CRL by using the X509v3 CRL Distribution Points attribute (It's the parent that issued a certificate. Consequently, revocation responsibility lies with the parent).
An example CRL is shown below. The important bits:
  • Authority Key Identifier and Issuer point to the issuer (certificate in previous article).
  • CRL number which is incremented with each issue.
  • Last update and next update time constraints.
  • Revocation number and date of each certificate identified by a serial number. 
Sample CRL

No comments:

Post a Comment