| Field | Value | ||
|---|---|---|---|
| Version | V2 (1) | ||
| Issuer Signature Algorithm | Must match the issuer Signature Algorithm of the CA’s certificate. One of the following: sha256 WithRSAEncryption {1 2 840 113549 1 1 11} ecdsa-with-SHA256 {1.2.840.10045.4.3.2} ecdsa-with-SHA384 {1.2.840.10045.4.3.3} ecdsa-with-SHA512 {1.2.840.10045.4.3.4}. | ||
| Issuer | Unique X.500 Issuing CA DN. Issuer name should be encoded exactly as encoded in the issuer fields of the certificates that are covered by this CRL. |
||
| PrintableString encoding should be used whenever possible for Issuer Distinguished Names. | |||
| Effective Date | Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter. | ||
| Next Upate | Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter. | ||
| Revoked Certificates List | 0 or more 2-tuple of certificate serial number and revocation. Expressed in UTCTime for dates until end of 2049 and GeneralizedTime for dates thereafter. |
||
| Issuer's Signature | sha256 WithRSAEncryption {1 2 840 113549 1 1 11} or ECDSA with appropriate Hash. |
||
| CRL Extension | Required | Critical | Value |
| CRL Number | Mandatory | Monotonically increasing integer (never repeated). | |
| Authority Key Identifier | Mandatory | Octet string (same as in Authority Key Identifier field in certificates issued by the CA). | |
| Issuing Distribution Point | Mandatory | This extension appears in segmented CRLs. If the CRL covers all unexpired certificates issued by the CRL issuer (i.e., all unexpired certificates in which the Issuer DN field contains the same name as the Issuer DN field of the CRL), then this extension does not need to be included. Common and PIV-I prohibit the use of indirect CRLs or CRLs that do not cover all reason codes. |
|
| Only Contains User Certs | Mandatory | If set to TRUE, this CRL covers only end entity certificates. (NOTE: If onlyContainsUserCerts is set to TRUE and the CRL covers all end entity certificates issued by the issuer of this CRL, then the distributionPoint field may be omitted.) |
|
| Only Contains CA Certs | Mandatory | If set to TRUE, this CRL covers only CA certificates. If onlyContainsUserCerts is TRUE, this field must be FALSE. (NOTE: If onlyContainsCACerts is set to TRUE and the CRL covers all CA certificates issued by the issuer of this CRL, then the distributionPoint field may be omitted.) |
|
| Indirect CRL | Mandatory | This profile recommends against the use of indirect CRLs. However, if this CRL covers certificates that were not issued by the issuer of this CRL, then this field must be set to TRUE. |
|
| Freshest CRL | Mandatory | If this is a complete-for-scope CRL, and delta-CRLs are issued for the same scope, then either this CRL or the certificates that the CRL covers should include the FreshestCRL extension. When the FreshestCRL extension is used in a CRL, only the distributionPoint field is used. The reasons and cRLIssuer fields must be omitted. |
|
| Delta CRL Indicator | Mandatory | True | This extension is included if and only if the CRL is a delta CRL. The BaseCRLNumber shall be identical to the value in the cRLNumber extension of the base CRL. |
| CRL Entry Extension | Required | Critical | Value |
| Reason Code | Optional | Must be included when reasonCode = key compromise or CA compromise. Any one of these CRL reasons may be asserted: - keyCompromise - cAcompromise - affiliationChanged - superseded - cessationOfOperation If the revocation reason is unspecified, then the reasonCode extension should not be included. The removeFromCRL reason code may only be used in delta CRLs. The use of certificateHold is discouraged. The certificateHold reason code may only be used for end entity certificates. |
|
| Invalidity Date | Optional | This extension may be included if the invalidity date precedes the revocation date. |