Publishing of CRLs612 Netscape Certificate Management System Installation and Setup Guide • October 2001Manager is configured to do so. In addition to certificates, the Certificate Manageralso maintains a CRL in its internal database. You can configure the CertificateManager to generate the CRL every time a certificate is revoked and at periodicintervals.You can also configure the Certificate Manager to generate and publish CRLsconforming to X.509 (either version 1 or version 2) standards by enabling ordisabling the CRL extension-specific modules in the server’s configuration. Notethat the server supports standard CRL extensions that are explained in Chapter 7,“CRL Extension Plug-in Modules” of CMS Plug-ins Guide.For instructions on how to configure a Certificate Manager to publish CRLs, see“Configuring a Certificate Manager to Publish Certificates and CRLs” on page 615.Reasons for Revoking a CertificateA Certificate Manager can revoke any certificate it has issued. A certificate needs tobe revoked if one or more of the following situations occur:• The owner of the certificate has changed status and no longer has the right touse the certificate.• The private key of a certificate owner has been compromised.• The certificate owner doesn’t want to use the certificate.• The private key of the CA that issued the certificate has been compromised.A certificate can be revoked by administrators, agents, and end entities, such asend users and individual server administrators. Agents and administrators (withagent privileges) can revoke certificates by using the forms provided in the agentinterface. Administrators, agents, and end users can revoke certificates by using theforms provided in the Revocation tab of the end-entity interface. Note that endusers can revoke only their own certificates, whereas agents and administrators canrevoke any certificates issued by the server. End users are also required toauthenticate to the server in order to revoke their certificate; see “Authentication ofEnd Users During Certificate Revocation” on page 517.Whenever a certificate is revoked, the Certificate Manager updates the status of thecertificate in its internal database. This way, the server keeps track of all revokedcertificates in its internal database and it makes the revoked list of certificatespublic (by publishing it to a central repository) to notify other users that thecertificates in the list are no longer valid.