Introduction to CRL Extensions360 Netscape Certificate Management System Plug-ins Guide • October 2001• A flag or boolean field called critical.The true or false value assigned to this field indicates whether the extensionis critical (true) or noncritical (false) to the CRL.m If the extension is critical and the CRL is sent to an application that doesnot understand the extension (based on the extension’s ID), the applicationmust reject the CRL.m If the extension is not critical and the CRL is sent to an application thatdoes not understand the extension (based on the extension’s ID), theapplication can ignore the extension and accept the CRL.• An octet string containing the DER encoding of the value of the extension.Typically, the application receiving the CRL checks the extension ID todetermine if it can recognize the ID. If it can, it uses the extension ID todetermine the type of value used.Sample CRL and CRL Entry ExtensionsThe following is an example of the section of a CRL containing X.509 v2 extensions.(Certificate Management System can display CRLs in human-readable format, asshown here.) As shown in the example, CRL extensions appear in sequence andonly one instance of a particular extension may appear in a particular CRL; forexample, a CRL may contain only one authority key identifier extension. However,CRL-entry extensions appear in appropriate entries in the CRL.Certificate Revocation List:Data:Version: v2...Extensions:Identifier: Authority Key IdentifierCritical: noKey Identifier:2c:22:c6:ae:4e:4b:91:c7:fb:4c:cc:ae:84:e8:aa:5b:46:6a:a0:adExtensions:Identifier: Revocation Reason - 2.5.29.21Critical: noReason: Key_CompromiseSerial Number: 0x12Revocation Date: Tuesday, December 15, 1998 5:20:42 AM