CRL partitioning is another main reason why administrators often renew an issuing CA. When a CA is renewed with a new key, a new key and certificate are generated for that CA. When a new key and certificate are generated, the CA will use the new key as well as any unexpired previous keys corresponding to previous certificates when generating revocation information. Therefore, a CA may be using multiple keys at the same time and will publish multiple CRLs corresponding to those keys
CRL Partitioning is used to reduce the size of Base CRL. To explain more, I will give an example : Suppose the issuing CA :
- At t= 0 >> CA Has current CA certificate named Certificate A : Valid until coming 5 years ( t= 1825)
- At t = 2 ,CA revokes user certificate X,Y and issues a BASE CRL (0) that contains the serial numbers of Certificates X,Y. This certificate is signed with CA Certificate A
- At t = 10 >>CA Renews its certificate with new key pairs (Certificate B) .Since the CA Certificate A is still valid ,the CA will publish two CRLs , one signed with Certificate A named CRL (1) and one signed with certificate B named CRL (2). Note that CRL (1) contains the serial numbers of Certificates X,Y while he Base CRL (2) is empty !
- At t = 12 >> CA issue a user certificate named Certificate Z to a user.
- At t = 15, CA revoked the Certificate Z and issues CRL (3) which contains only the serial number of Certificate Z.
To explain how this algorithm works, suppose the following:
- An application is presented with certificate X (which is revoked and signed with CA certificate A) >>The application will look at AIA extension of the certificate X and will pull the Certificate A. then it will look at the CDP extension on the certificate X and will pull CRL Base (1) since CRL Base (1) is signed with Certificate A .The application will see that the certificate is revoked and will denied the request. Till now all is perfect
- An Application is presented with Certificate Z (which is revoked and signed with CA Certificate B) >> The application will look at AIA extension of the certificate Z and will pull the Certificate B. then it will look at the CDP extension on the certificate Z and will pull CRL Base (3) since CRL Base (3) is signed with Certificate B .The application will see that the certificate is revoked and will denied the request. So all is perfect.
- When the CRL size is too big ,renewing the CA certificate with new key pairs will reduce the CRL size .This feature is named (CRL Partitioning ).
- The CA CRL signed with the new CA certificate only maintain the revoked certificates since the CA key renewal.