Certificate revocation list in LDAP

Question

I need to store a Certificate Revocation List in LDAP server (OpenDJ). I have used ldapmodify command to store a certificate in the LDAP server by adding entries to LDIF files. However, I am not really sure how to go about adding a revocation list in the LDAP server.

Any examples using LDIF would be really appreciated.

Well you're going to add it to either a new entry or an existing entry of type `certificationAuthority`, `cRLDistributionPoint`, or `pkiCA`, and you're going to add it to a `certificateRevocationList` attribute. — user207421, Jul 22 '15 at 02:08

score 2 · Accepted Answer · answered Jul 22 '15 at 07:27

2

As EJP pointed out, there is a standard schema for CRL.
Just one thing, LDAP doesn't have a specific syntax for CRLs or Certificates.
The CRL needs to be treated as an opaque blob and you will need to use the ;binary transfer option when creating, updating or retrieving the attribute.
In LDIF, it's as simple as:
certificateRevocationList;binary:: BASE64_Encoding of CRL

answered Jul 22 '15 at 07:27

Ludovic Poitou

4,788
2
21
30

I should add that OpenDJ delivers the schema for CRLs by default. – Ludovic Poitou Jul 22 '15 at 08:41
Thanks, that makes sense! – sunsin1985 Jul 23 '15 at 19:15

Certificate revocation list in LDAP

1 Answers1