[Pki-users] CRL to file publishing on Clone CA

John Magne jmagne at redhat.com
Wed Sep 2 19:17:57 UTC 2015 

Hi:

I'm not sure what are try to accomplish.
The way we have it now, only the master publishes anywhere.


Is the concern over the internal OCSP of the cloned CA's
or are you publishing to some external OSCP responders?
If you are worried about the internal OCSP's of the clones,
they should give the correct answers about a given cert through replication.

If there is something else desired, let us know.

thanks,
jack



----- Original Message -----
> From: "Aleksey Chudov" <aleksey.chudov at gmail.com>
> To: pki-users at redhat.com
> Sent: Wednesday, September 2, 2015 5:04:59 AM
> Subject: [Pki-users] CRL to file publishing on Clone CA
> 
> Hi,
> 
> I have configured the same rules for CRL publishing on Master CA and two
> Clone CAs
> 
> +ca.publish.enable=true
> +ca.publish.ldappublish.enable=false
> +ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
> +ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
> +ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
> +ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
> +ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
> +ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
> +ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
> +ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
> +ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
> +ca.publish.rule.instance.FileCrlRule.enable=true
> +ca.publish.rule.instance.FileCrlRule.mapper=NoMap
> +ca.publish.rule.instance.FileCrlRule.pluginName=Rule
> +ca.publish.rule.instance.FileCrlRule.predicate=
> +ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
> +ca.publish.rule.instance.FileCrlRule.type=crl
> 
> But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl
> directory.
> 
> According to documentation
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Planning_Installation_and_Deployment_Guide/Cloning_a_Subsystem.html#cloning-for-cas
> , only one replicated CA can generate, cache, and publish CRLs.
> 
> What are the best practices of publishing CRLs on Clone CA? Should I just
> sync CRL directory on both clones from master, or is there a better
> approach?
> 
> Aleksey
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list