Add-CRLDistributionPoint - PKI Solutions Inc.
Certificate revocation lists — OpenSSL Certificate This application must have remote access to the CRL. If a certificate was signed with an extension that includes crlDistributionPoints, a client-side application can read this information and fetch the CRL from the specified location. The CRL distribution points are visible in the certificate X509v3 details. Deploying the Client Certificate for Distribution Points Nov 15, 2017 How to Publish the CRL on a Separate Web Server - TechNet
Certificate revocation list - Wikipedia
PKI - CRL Distribution Points (CDP) Extension The CRL distribution points is an X.509 v3 certificate extension which identifies the location of the CRL from which the revocation of this certificate can be checked. The application that processes the certificate can get the location of the CRL from this extension, download the CRL and then check the revocation of this certificate. Setup CRL Distribution Points – ITFreeTraining
Possible symptom: No LDAP fetch traffic is exchanged between the Remote Access Firewall, and the LDAP server holds the CRL during the failed client authentication. Debug of VPND.elg shows the LDAP URI in the certificates is for e.g. "DC=checkpoint-group,DC=net" as shown below e.g.: "CRL distribution Points:
I'm having problems using openssl to create a x509 certificate containing a crl distribution point for testing. I've checked the documentation and found the configuration setting crlDistributionPoints for this purpose. Unfortunately openssl always generates x509 version 1 certificates without instead of version 3 certificates with the crl