[Freeipa-users] Revocation of Issuing CA certificates
Rob Crittenden
rcritten at redhat.com
Wed May 6 13:57:43 UTC 2015
Kamal Perera wrote:
> Dear All,
>
>
> How is the revocation of issuing CA certificates are handled? We are
> using OCSP responders for revocation checking of certificates issued by
> the Issuing CAs. So do we have to setup another OCSP or CRL distribution
> point to let the applications to query for the revocation of issuing CA
> certificates?
Both points are encoded in the certificates that IPA issues:
[ SNIP ]
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://ipa-ca.example.com/ca/ocsp"
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
Name: Extended Key Usage
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: CRL Distribution Points
Distribution point:
URI: "http://ipa-ca.example.com/ipa/crl/MasterCRL.bin"
CRL issuer:
Directory Name: "CN=Certificate Authority,O=ipaca"
rob
More information about the Freeipa-users
mailing list