PKI CRL Partitioning

CRL partitioning is another main reason why administrators often renew an issuing CA. When a CA is renewed with a new key, a new key and certificate are generated for that CA. When a new key and certificate are generated, the CA will use the new key as well as any unexpired previous keys corresponding to previous certificates when generating revocation information. Therefore, a CA may be using multiple keys at the same time and will publish multiple CRLs corresponding to those keys

CRL Partitioning is used to reduce the size of Base CRL. To explain more, I will give an example : Suppose the issuing CA :

  • At t= 0 >> CA  Has current CA certificate named Certificate A : Valid until coming 5 years ( t= 1825)
  • At t = 2 ,CA revokes user certificate X,Y and issues a BASE CRL (0) that contains the serial numbers of Certificates X,Y. This certificate is signed with CA Certificate A
  • At t = 10 >>CA  Renews its certificate with new key pairs (Certificate B) .Since the CA Certificate A is still valid ,the CA will publish two CRLs , one signed with Certificate A named CRL (1) and one signed with certificate B named CRL (2). Note that CRL (1) contains the serial numbers of Certificates X,Y while he Base CRL (2) is empty !
  • At t = 12 >> CA issue a user certificate named Certificate Z to a user.
  • At t = 15, CA revoked the Certificate Z and issues CRL (3) which contains only the serial number of Certificate Z.

To explain how this algorithm works, suppose the following:

  • An application is presented with certificate X (which is revoked and signed with CA certificate A) >>The application will look at AIA extension of the certificate  X and will pull the Certificate A. then it will look at the  CDP extension on the certificate X and will pull CRL Base (1)  since CRL Base (1) is signed with Certificate A .The application will see that the certificate is revoked and will denied the request. Till now all is perfect
  • An Application is presented with Certificate Z (which is revoked and signed with CA Certificate B) >> The application will look at AIA extension of the certificate Z and will pull the Certificate B. then it will look at the CDP extension on the certificate Z and will pull CRL Base (3) since CRL Base (3) is signed with Certificate B .The application will see that the certificate is revoked and will denied the request. So all is perfect.

Summary:

  • When the CRL size is too big ,renewing the CA certificate with new key pairs will reduce the CRL size .This feature is named (CRL Partitioning ).
  • The CA CRL signed with the new CA certificate only maintain the revoked certificates since the CA key renewal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s