Manage CRL Profiles

A Certificate Revocation List (CRL) is a record of revoked certificates. Whenever a certificate is issued, it is only valid for a certain period of time, as determined by the Certification Authority. Typically, this period is one to two years. Whenever a certificate is presented for authentication, its validity period is checked against the current time to ensure that it has not expired.

The 'CRL Profiles' section allows administrators to create CRL profiles that officers can use to generate a Certificate Revocation List.

After logging in to emCA, go to the dashboard page and click on "Manage Profiles", then select "CRL Profiles" to view the following page.

New CRL Profile

To create a new profile, click on 'New Profile' which will display the CRL profile creation screen.

Please provide a unique and recognizable "Profile name" on the page that is currently being displayed.

Please specify the number of days for the validity period, which will be used by the associated CRL profile.

The default value for the Custom CRL number field is set to 1. This field serves as a continuously increasing sequence number within a specific CRL scope, helping users track CRL successions.

Users can choose to enable automatic CRL generation and set the frequency in the designated field.

CRL Extensions

To select an extension for the 'CRL Extensions' section, simply click on the 'Use' checkbox next to it. In case you want to mark a certain section as 'Critical', you can do so for the chosen extensions. Below is a list of available extensions to choose from.

The "Issuer alternate name" extension (optional) allows additional identities to be associated with the issuer of CRL

The "Authority Information Access" extension (optional) contains information about the issuer of the certificate. This extension helps to fetch immediate certificates from the issuing certification authority

"Delta CRL" extension (optional) contains all non-expired certificates that have been revoked since the last base CRL was published.

The Issuing Distribution Point (IDP) is a field in a Certificate Revocation List (CRL) profile that specifies the location where the CRL is published.

The "Authority Key Identifier" extension (mandatory) identifies the public key corresponding to the private key used to sign a certificate. It is selected by default as mandatory.

After selecting all the necessary details, click on "Proceed" to access the next page. You'll then need to authenticate the save action, using your Administrator token. Once authenticated, press "Authenticate" and then click on "Confirm" to finalize the certificate profile.

Clicking 'View all' directs the Admin to 'CRL Profiles'. Clicking '+ New' leads to new certificate profile creation.

The profile for the generated certificate will be updated on the 'CRL Profiles' page.