[Freeipa-users] mastercrl.bin very old
rcritten at redhat.com
Wed Oct 22 15:39:26 UTC 2014
Natxo Asenjo wrote:
> On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>> But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I
>> still get the old crl dated june 28th last year.
>> Should I modify ipa-pki-proxy.conf as well on the CRL generator host
>> to point to the /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>> as well?
> This morning the /ipa/crl dir still had the lists of 28th June 2013 in
> the crl generator host. In my test environment running centos 7 the
> files get updated, so I think a process is nut running. But which one?
> Going to the /ca/ee/ca/getCRL?op=getCRL&
> crlIssuingPoint=MasterCRL gives me the up to date CRL.
To enable CRL generation you need these set:
Given that the CA seems to be generating a new CRL that you can fetch
directly I'll assume those are set.
The CA also needs configuration on how/where to publish a file-based
CRL. The configuration should look like:
More information about the Freeipa-users