[Pki-users] partition dogtag data in the ldap server?
Christina Fu
cfu at redhat.com
Fri Jul 24 16:08:35 UTC 2015
On 07/24/2015 12:07 AM, Alexander Jung wrote:
>
> 2015-07-22 22:43 GMT+02:00 Christina Fu <cfu at redhat.com
> <mailto:cfu at redhat.com>>:
>
> Thank you Dave for bringing this email to my attention...somehow
> it got slipped by me.
>
> I just want to point out that if you do choose to "remove" certs
> from the internal ldap repository, please do not remove any certs
> that are revoked but not yet expired. Doing so will cause your
> CRL generation to miss the revoked certificates, and render them
> valid when checked upon by clients. It would be a big security
> violation of PKI.
>
>
> Yes, I am planing to move only the expired (or revoked-expired certs).
> While we do not really use the CRL any more (OCSP is the thing
> nowadays :-), we keep it for compatibility...
>
Good to know. Though as far as Dogtag goes, OCSP gets its CRL from the
CA, where CA generates its CRL from the certs in its internal ldap db.
CA needs to keep its CRL accurate and updated for the whole PKI to work
properly.
> Mit freundlichen Grüßen,
>
> Alexander Jung
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150724/12569df5/attachment.htm>
More information about the Pki-users
mailing list