By matching the information in a certificate's AKI extension to a CA certificate's Subject Key Identifier (SKI) extension a certificate chain can be built. A certificate extension that indicates where the certificate revocation list for a CA can be retrieved.
This extension can contain multiple HTTP, FTP, File or LDAP URLs for the retrieval of the CRL. A method of restricting certificates chaining to a designated CA for limited time periods or usages. In a Windows Server 2003 network, qualified subordination is the preferred method for restricting certificate usage between organizations. A digitally signed list issued by a Certification Authority (CA) that contains a list of certificates issued by the CA that have been revoked.
A certificate may be issued for one minute, thirty years or even more.
Once issued, a certificate becomes valid once its validity time has been reached, and it is considered valid until its expiration date.
A CA issues a new CRL on either a configured regular periodic basis (for example, hourly, daily, or weekly) or on an event basis; for example, if an important certificate is deemed compromised, the CA may issue a new CRL to expedite notification of that fact.
This method involves each CA periodically issuing a signed data structure called a certificate revocation list (CRL).
A CRL is a time stamped list identifying revoked certificates, which is signed by a CA and made freely available in a public repository.
A certificate extension that contains information useful for verifying the trust status of a certificate.
This information potentially includes URL locations where the issuing CA's certificate can be retrieved, as well as a location of an OCSP Responder configured to provide status for the certificate in question.