Configuring a Certificate Manager to Publish Certificates and CRLsChapter 19 Setting Up LDAP Publishing 595CRL Issuing PointsBecause CRLs can grow very large, several methods have been developed tominimize the overhead of retrieving and delivering large CRLs. One of thesemethods is based on partitioning the entire certificate space and associating aseparate CRL with every partition. This partition is called a CRL issuing ordistribution point—it is the location where a subset of all the revoked certificates aremaintained. Partitioning can be based on revocation reason, on whether therevoked certificate is a CA certificate or end-entity certificate, on end users’ names,and so on. Each issuing point is identified by a set of names, which can be invarious forms.Once the issuing points have been defined, they can be included in certificates sothat an application that needs to check the revocation status of a certificate canaccess the CRL issuing points specified in the certificate instead of the master ormain CRL—the application would check the CRL maintained at the issuing point,which would be smaller in size compared to the master CRL, and thus speed upthe revocation-status-checking process.CRL distribution points can be associated with certificates by setting theCRLDistributionPoint extension in them.By default, the Certificate Manager only generates and publishes a single CRL,identified as the master CRL. However, for interoperatability purposes, the serverdoes enable you to add the CRLDistributionPoint extension to the certificates itissues. For details, see section “CRLDistributionPointsExt Plug-in Module” inChapter 4, “Certificate Extension Plug-in Modules” of CMS Plug-Ins Guide.Configuring a Certificate Manager to PublishCertificates and CRLsIf you are using an LDAP-compliant directory, such as Netscape Directory Server,to publish and manage your user and group data, you can configure the CertificateManager to communicate with this directory. The Certificate Manager can thenpublish end-entity as well as CA certificates and the certificate revocation list (CRL)to the directory. This way, your publishing directory acts as a common distributionpoint for information about users and other entities on the network, including eachentity’s current security credentials.Once the Certificate Manager is configured to publish to the directory, manycertificate and CRL-related operations are performed automatically. For details, see“Timing of Directory Updates” on page 587.