[Pki-users] CRL to file publishing on Clone CA

[Aleksey Chudov]

Hi,

I have configured the same rules for CRL publishing on Master CA and two
Clone CAs

+ca.publish.enable=true
+ca.publish.ldappublish.enable=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
+ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
+ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
+ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
+ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
+ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
+ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
+ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
+ca.publish.rule.instance.FileCrlRule.enable=true
+ca.publish.rule.instance.FileCrlRule.mapper=NoMap
+ca.publish.rule.instance.FileCrlRule.pluginName=Rule
+ca.publish.rule.instance.FileCrlRule.predicate=
+ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
+ca.publish.rule.instance.FileCrlRule.type=crl

But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl
directory.

According to documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Planning_Installation_and_Deployment_Guide/Cloning_a_Subsystem.html#cloning-for-cas,
only one replicated CA can generate, cache, and publish CRLs.

What are the best practices of publishing CRLs on Clone CA? Should I just
sync CRL directory on both clones from master, or is there a better
approach?

Aleksey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150902/4968a0cf/attachment.htm>