3.2.1.4.3.2.20 PropID = 0x00000014 (CR_PROP_CRLSTATE) "CA CRL State"
The client has requested the CA signing certificate status for all CRLs.
The CA MUST do the following for each one of the rows in Signing_Cert table:
The CA MUST evaluate the certificate status stored in the Signing_Cert_Certificate column by building its chain based on the specification defined in [RFC3280].
If the signing certificate is revoked, the CA MUST return the status CA_DISP_REVOKED.
If the certificate index (identified by the Signing_Cert_Certificate column) does not match the key index, the CA MUST return the status CA_DISP_ERROR.
If the certificate index (identified by Signing_Cert_Certificate column) matches the key (2) index, the CA MUST return the status CA_DISP_VALID.
The CA MUST return a byte array that identifies whether a certificate has been used to publish a CRL. Each byte in the array MUST have one of the values in the following table.
|
Value |
Meaning |
|---|---|
|
CA_DISP_ERROR (0x01) |
This indexed signing certificate is not associated with the key used to generate the CRL. |
|
CA_DISP_REVOKED (0x02) |
This indexed signing certificate was revoked and its associated key MUST NOT be used to sign CRLs. |
|
CA_DISP_VALID (0x03) |
This indexed signing certificate is associated with the key used to sign the last CRL. |
|
The indexed signing certificate has expired and the associated key MUST NOT be used to sign CRLs. |
The CA MUST return the byte array in a CERTTRANSBLOB (section 2.2.2.2) structure. The first byte MUST specify the status of the first signing certificate, and the second byte MUST specify the status of the second signing certificate. Subsequent bytes MUST repeat this pattern.