Use your browser to get the initial CRL from the certificate authority manually.
Save the initial CRL file in the binary DER format to your local machine.
Convert the DER file to the text-based PEM format and finally LDAP Data Interchange Format (LDIF) using the following command:
ldif -b certificaterevocationlist;binary crl.ldif
The ldif command is available in your Directory Server installation.
The crl.ldif file contains text similar to the following:
certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA YTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUE tJMRwwGgYDVQQDExNEb0QgQ2xhc3MgMyBSb290IENBFw0wNzA1MDExNDMzMDNaFw0wNzA1MDExNz UzMDNaMBQwEgIBTxcNMDcwNDI3MTY1NzMzWjANBgkqhkiG9w0BAQUFAANBADUd7lBe7JeQKQnKCK GddnsCXqii7EitbPuYT55M4Nn3qBgPFSG8bX9H5XBGTB4iofb3h0Y9DCqe10vc8dBM0
Do one of the following to define the LDAP entry in which the CRL will be stored.
For an existing entry, specify the DN in the LDIF file.
# entry-id: famouseCA dn: CN=famouseCA,ou=People,dc=sun,dc=com certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA YTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUE tJMRwwGgYDVQQDExNEb0QgQ2xhc3MgMyBSb290IENBFw0wNzA1MDExNDMzMDNaFw0wNzA1MDExNz UzMDNaMBQwEgIBTxcNMDcwNDI3MTY1NzMzWjANBgkqhkiG9w0BAQUFAANBADUd7lBe7JeQKQnKCK GddnsCXqii7EitbPuYT55M4Nn3qBgPFSG8bX9H5XBGTB4iofb3h0Y9DCqe10vc8dBM0
For a new entry, specify the DN and object classes in the LDIF file.
# entry-id: tester200 dn: CN=famouseCA,ou=People,dc=sun,dc=com sn: famouseCA cn: famouseCA employeeNumber: 1001 telephoneNumber: 555-555-5555 postalAddress: 555 Test Drive iplanet-am-modifiable-by: cn=Top-level Admin Role,dc=iplanet,dc=com mail: famouseCA@test.com givenName: Test inetUserStatus: Active uid: tester200 objectClass: iplanet-am-user-service objectClass: inetAdmin objectClass: iPlanetPreferences objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: iplanet-am-managed-person objectClass: inetuser objectClass: top userPassword: {SSHA}E3TJ4DT7IoOLETVny1ktxUGWNTpBYq8tj3C1Sg== creatorsName: cn=puser,ou=dsame users,dc=iplanet,dc=com modifiersName: cn=puser,ou=dsame users,dc=iplanet,dc=com createTimestamp: 20031125043253Z modifyTimestamp: 20031125043253Z certificaterevocationlist;binary:: MIH7MIGmMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNVBA YTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUE tJMRwwGgYDVQQDExNEb0QgQ2xhc3MgMyBSb290IENBFw0wNzA1MDExNDMzMDNaFw0wNzA1MDExNz UzMDNaMBQwEgIBTxcNMDcwNDI3MTY1NzMzWjANBgkqhkiG9w0BAQUFAANBADUd7lBe7JeQKQnKCK GddnsCXqii7EitbPuYT55M4Nn3qBgPFSG8bX9H5XBGTB4iofb3h0Y9DCqe10vc8dBM0G8=
Run one of the following ldapmodify commands based on whether you are adding the LDIF file to an existing entry or creating a new entry.
To add a CRL to an existing LDAP entry (using an LDIF file with a specified DN), use the following command:
ldapmodify -r -h Directory Server_host -p Directory Server_port -f ldif-file -D cn=Directory Manager -w password
To add a CRL to a new LDAP entry (using an LDIF file with a specified DN and object classes), use the following command:
ldapmodify -a -h Directory Server_host -p Directory Server_port -f ldif-file -D cn=Directory Manager -w password