CRL distribution points

From http://www.openssl.org/docs/apps/x509v3_config.html#CRL_distribution_points_

CRL distribution points.#

This is a multi-valued extension whose options can be either in name:value pair using the same form as subject alternative name or a single value representing a section name containing all the distribution point fields.

For a name:value pair a new DistributionPoint with the fullName field set to the given value both the cRLissuer and reasons fields are omitted in this case.

In the single option case the section indicated contains values for each field. In this section:

If the name is ``fullname the value field should contain the full name of the distribution point in the same format as subject alternative name.

If the name is ``relativename then the value field should contain a section name whose contents represent a DN fragment to be placed in this field.

The name ``CRLIssuer if present should contain a value for this field in subject alternative name format.

If the name is ``reasons the value field should consist of a comma separated field containing the reasons. Valid reasons are: ``keyCompromise, ``CACompromise, ``affiliationChanged, ``superseded, ``cessationOfOperation, ``certificateHold, ``privilegeWithdrawn and ``AACompromise.

Simple examples: