[Pki-users] CRL to file publishing on Clone CA

John Magne jmagne at redhat.com
Thu Sep 3 00:01:36 UTC 2015 

Oh I see:

There are a couple of alternatives, but the way the server works right now
is to only allow the Master to publish:

1. Publish to ldap instead?

2. Have some sort of file watcher on the master and push out updates to the other hosts maybe.



----- Original Message -----
> From: "Aleksey Chudov" <aleksey.chudov at gmail.com>
> To: "John Magne" <jmagne at redhat.com>
> Cc: pki-users at redhat.com
> Sent: Wednesday, September 2, 2015 2:07:20 PM
> Subject: Re: [Pki-users] CRL to file publishing on Clone CA
> 
> To make it clear I have to tell a bit more about my CA scheme.
> 
> I have three servers, Master CA + two Clone CAs. All three servers have
> their own DNS names and also shared DNS name ca.local.mycompany.com. So,
> ca.local.mycompany.com resolves to three ip addresses for load sharing and
> high availability.
> 
> All CA enrolled certificates contains extensions
> 
>             X509v3 CRL Distribution Points:
>                 Full Name:
>                   URI:http://ca.local.mycompany.com/crl/MasterCRL.crl
> 
>             Authority Information Access:
>                 OCSP - URI:http://ca.local.mycompany.com
> <http://ca.local.mycompany.com/crl/MasterCRL.crl>/ca/ocsp
> <http://ca.service.local.odkl.ru/ca/ocsp>
> 
> 
> There is no problems with OCSP. It works out of the box.
> 
> http://ca.local.mycompany.com/crl/
> <http://ca.local.mycompany.com/crl/MasterCRL.crl> URL internally points to
> local directory on all three servers
> 
> # grep -A1 crl /etc/pki/pki-tomcat/server.xml
>         <Context path="/crl"
>                  docBase="/var/lib/pki/pki-tomcat/webapps/crl"
>                  allowLinking="true"/>
> 
> I need the CRL file to be available on all three servers for
> http://ca.local.mycompany.com/crl/MasterCRL.crl URL to work. So, I have
> configured CRL publishing to file in /var/lib/pki/pki-tomcat/webapps/crl
> directory on all three servers. But only Master CA actually publishes CRLs.
> 
> Is there a way to publish CRLs to file on Clone CA or I should sync
> /var/lib/pki/pki-tomcat/webapps/crl directory from Master CA?
> 
> 
> 
> 
> On Wed, Sep 2, 2015 at 10:17 PM, John Magne <jmagne at redhat.com> wrote:
> 
> > Hi:
> >
> > I'm not sure what are try to accomplish.
> > The way we have it now, only the master publishes anywhere.
> >
> >
> > Is the concern over the internal OCSP of the cloned CA's
> > or are you publishing to some external OSCP responders?
> > If you are worried about the internal OCSP's of the clones,
> > they should give the correct answers about a given cert through
> > replication.
> >
> > If there is something else desired, let us know.
> >
> > thanks,
> > jack
> >
> >
> >
> > ----- Original Message -----
> > > From: "Aleksey Chudov" <aleksey.chudov at gmail.com>
> > > To: pki-users at redhat.com
> > > Sent: Wednesday, September 2, 2015 5:04:59 AM
> > > Subject: [Pki-users] CRL to file publishing on Clone CA
> > >
> > > Hi,
> > >
> > > I have configured the same rules for CRL publishing on Master CA and two
> > > Clone CAs
> > >
> > > +ca.publish.enable=true
> > > +ca.publish.ldappublish.enable=false
> > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
> > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
> > > +ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
> > >
> > +ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
> > > +ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
> > >
> > +ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
> > > +ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
> > > +ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
> > > +ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
> > > +ca.publish.rule.instance.FileCrlRule.enable=true
> > > +ca.publish.rule.instance.FileCrlRule.mapper=NoMap
> > > +ca.publish.rule.instance.FileCrlRule.pluginName=Rule
> > > +ca.publish.rule.instance.FileCrlRule.predicate=
> > > +ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
> > > +ca.publish.rule.instance.FileCrlRule.type=crl
> > >
> > > But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl
> > > directory.
> > >
> > > According to documentation
> > >
> > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Planning_Installation_and_Deployment_Guide/Cloning_a_Subsystem.html#cloning-for-cas
> > > , only one replicated CA can generate, cache, and publish CRLs.
> > >
> > > What are the best practices of publishing CRLs on Clone CA? Should I just
> > > sync CRL directory on both clones from master, or is there a better
> > > approach?
> > >
> > > Aleksey
> > >
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> >
>

More information about the Pki-users mailing list