-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring CRL Publishing
Endi S. Dewata edited this page Apr 5, 2021
·
10 revisions
First, prepare a folder for CRL publishing, for example:
$ mkdir /var/lib/pki/pki-tomcat/ca/crl $ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/ca/crl
Then configure the file-based CRL publishing in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
ca.publish.enable=true ca.publish.publisher.instance.FileBasedPublisher.pluginName=FileBasedPublisher ca.publish.publisher.instance.FileBasedPublisher.crlLinkExt=bin ca.publish.publisher.instance.FileBasedPublisher.directory=/var/lib/pki/pki-tomcat/ca/crl ca.publish.publisher.instance.FileBasedPublisher.latestCrlLink=true ca.publish.publisher.instance.FileBasedPublisher.timeStamp=LocalTime ca.publish.publisher.instance.FileBasedPublisher.zipCRLs=false ca.publish.publisher.instance.FileBasedPublisher.zipLevel=9 ca.publish.publisher.instance.FileBasedPublisher.Filename.b64=false ca.publish.publisher.instance.FileBasedPublisher.Filename.der=true ca.publish.rule.instance.FileCrlRule.enable=true ca.publish.rule.instance.FileCrlRule.mapper=NoMap ca.publish.rule.instance.FileCrlRule.pluginName=Rule ca.publish.rule.instance.FileCrlRule.predicate= ca.publish.rule.instance.FileCrlRule.publisher=FileBasedPublisher ca.publish.rule.instance.FileCrlRule.type=crl
By default the CRL is only updated at scheduled times. To update the CRL on each revocation:
ca.crl.MasterCRL.alwaysUpdate=true
Finally, restart the server.
To view the published CRL:
$ openssl crl -inform DER -text -noout -in /var/lib/pki/pki-tomcat/ca/crl/MasterCRL.bin
Configure the LDAP-based CRL publishing in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg, for example:
ca.publish.enable=true ca.publish.ldappublish.enable=true ca.publish.ldappublish.ldap.ldapauth.authtype=BasicAuth ca.publish.ldappublish.ldap.ldapauth.bindDN=cn=Directory Manager ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt=internaldb ca.publish.ldappublish.ldap.ldapauth.clientCertNickname= ca.publish.ldappublish.ldap.ldapconn.host=localhost.localdomain ca.publish.ldappublish.ldap.ldapconn.port=389 ca.publish.ldappublish.ldap.ldapconn.secureConn=false ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true ca.publish.mapper.instance.LdapCrlMap.dnPattern=cn=$subj.cn,dc=example,dc=com ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass=pkiCA ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher ca.publish.rule.instance.LdapCrlRule.enable=true ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap ca.publish.rule.instance.LdapCrlRule.pluginName=Rule ca.publish.rule.instance.LdapCrlRule.predicate= ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher ca.publish.rule.instance.LdapCrlRule.type=crl
Finally, restart the server.
To retrieve the published CRL:
$ ldapsearch \
-h $HOSTNAME \
-p 389 \
-x \
-D "cn=Directory Manager" \
-w Secret.123 \
-b "cn=Certificate Authority,dc=example,dc=com" \
-t \
certificateRevocationList
dn: cn=Certificate Authority,dc=example,dc=com
certificateRevocationList;binary:< file://<path>
To view the published CRL:
$ openssl crl -inform DER -text -noout -in <path>
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |