forked from freeipa/freeipa
-
Notifications
You must be signed in to change notification settings - Fork 0
CRL Publishing
Endi S. Dewata edited this page Jul 22, 2022
·
2 revisions
IPA enables CRL publishing in PKI during installation. The CRL publishing is configured in ipaserver/install/cainstance.py. The CRLs will be published into /var/lib/ipa/pki-ca/publish
folder.
The CRL publishing is configured in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
as follows:
# Enable file publishing, disable LDAP ca.publish.enable=true ca.publish.ldappublish.enable=false # Create the file publisher, der only, not b64 ca.publish.publisher.impl.FileBasedPublisher.class=com.netscape.cms.publish.publishers.FileBasedPublisher ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin ca.publish.publisher.instance.FileBaseCRLPublisher.directory=<publishdir> ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9 ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true # The publishing rule ca.publish.rule.instance.FileCrlRule.enable=true ca.publish.rule.instance.FileCrlRule.mapper=NoMap ca.publish.rule.instance.FileCrlRule.pluginName=Rule ca.publish.rule.instance.FileCrlRule.predicate= ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher ca.publish.rule.instance.FileCrlRule.type=crl # Disable LDAP publishing ca.publish.rule.instance.LdapCaCertRule.enable=false ca.publish.rule.instance.LdapCrlRule.enable=false ca.publish.rule.instance.LdapUserCertRule.enable=false ca.publish.rule.instance.LdapXCertRule.enable=false
The master is configured to be the CRL generator:
ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true ca.listenToCloneModifications=true
The replica is configured to point to master:
ca.crl.MasterCRL.enableCRLCache=false ca.crl.MasterCRL.enableCRLUpdates=false ca.listenToCloneModifications=false