[Freeipa-users] mastercrl.bin very old
Rob Crittenden
rcritten at redhat.com
Wed Oct 22 15:39:26 UTC 2014
Natxo Asenjo wrote:
> On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>> But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I
>> still get the old crl dated june 28th last year.
>>
>> Should I modify ipa-pki-proxy.conf as well on the CRL generator host
>> to point to the /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>> as well?
>
> This morning the /ipa/crl dir still had the lists of 28th June 2013 in
> the crl generator host. In my test environment running centos 7 the
> files get updated, so I think a process is nut running. But which one?
>
> Going to the /ca/ee/ca/getCRL?op=getCRL&
> crlIssuingPoint=MasterCRL gives me the up to date CRL.
>
> --
> Groeten,
> natxo
>
To enable CRL generation you need these set:
ca.crl.MasterCRL.enableCRLCache=false
ca.crl.MasterCRL.enableCRLUpdates=false
Given that the CA seems to be generating a new CRL that you can fetch
directly I'll assume those are set.
The CA also needs configuration on how/where to publish a file-based
CRL. The configuration should look like:
ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin
ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish
ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true
ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher
ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime
ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false
ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9
ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false
ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true
ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher
rob
More information about the Freeipa-users
mailing list