Datasheet

“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 630 — #656

The system administers precisely one CRL for every CA. To create or up-

date this CRL, ﬁrst enter the required CA, as described in Section 26.1.2 on

page 626 and click ‘CRL...’. The following dialog then displays a summary

of the last CRL of this CA. If you have revoked new sub-CAs or certiﬁcates

since its creation, create a new CRL so this information can be added to the

CRL. To create or update the CRL, select ‘Create CRL’. Then specify the pe-

riod of validity for the new CRL (default: 30 days). Click ‘OK’ for the CRL

to be created and displayed. Afterwards, must publish this CRL.

Note

Applications that evaluate CRLs reject certiﬁcates whose CRL

is deleted. As a PKI provider, it is your duty always to create

and publish a new CRL before a current CRL lapses (period of

validity). YaST does not provide a function for automating this

procedure at present.

Note

Exporting CA Objects to LDAP

The executing computer should be conﬁgured with the YaST LDAP client

for LDAP export. This provides LDAP server information at runtime that

can be used when completing dialog ﬁelds. Otherwise, although export

may be possible, all LDAP data must be entered manually. You must al-

ways enter several passwords (see Table 26.3).

Table 26.3: Passwords during LDAP Export

Password Meaning

LDAP Password This password authorizes the user to make

entries in the LDAP tree

Certiﬁcate Password This password authorizes the user to export

the certiﬁcate.

New Certiﬁcate Pass-

word

The PKCS12 format is used during LDAP

export. This format forces the assignment of

a new password for the exported certiﬁcate.

Certiﬁcates, CAs, and CRLs can be exported to LDAP.

630 26.1. X.509 Certiﬁcation with YaST