KB Article #176156
Merging Partitioned CRLs from LDAP in VA
Problem
-- How can you configure VA to merge partitioned CRLs from LDAP?Resolution
* VA can merge partitioned CRLs from LDAP only when these objects are nested under common object, Entrust style. When adding the CRL from LDAP, the "Include Partitioned CRLs" option must be selected.
VA performs the following LDAP related processing:
1. Discover the list of partitioned CRL’s for a given CA. The query retrieves the list of entries under the specified distinguished name which satisfy the search criteria described in the table below:
| Parameter | Description | Value |
| base | Distinguished Name | example: cn=SubCA,ou=CA,o=nhs |
| scope | Scope of the search | LDAP_SCOPE_SUBTREE (0x0002) |
| filter | Filter to apply | ("objectclass=cRLDistributionPoint") |
| attributes | Attribute types to return from matching entries | certificateRevocationList, certificateRevocationList;binary |
2. As a result of the query, a list of URLs with CRL access points is created. For example: "cn=CRL1,cn=SubCA,ou=CA,o=nhs?certificateRevocationList;binary"
3. Each of the URLs is then used in another LDAP query to retrieve the partitioned CRL data, which is then aggregated into a single CRL.
Please note that there is no validation performed to ensure the CRL’s being fetched are actually partitioned and include an issuing distribution point. The processing is based on the assumption that partitioned CRLs were uploaded into LDAP. If there is a node within the DN sub-tree with an attribute whose object class is "cRLDistributionPoint" and an attribute "certificateRevocationList" where a full CRL is stored, it will be processed.