[Pki-users] CRL to file publishing on Clone CA
Aleksey Chudov
aleksey.chudov at gmail.com
Thu Sep 3 08:18:41 UTC 2015
Actually I do not like the idea of directory synchronization by using some
third-party script. So, I found an alternative solution instead of
publishing CRL to file.
My PKI CA subsystem listen on default ports 8080 and 8443. And I use Apache
mod_proxy for PKI CA to be available on standard ports 80 and 443.
All I have to do is add a bit of Apache mod_rewrite magic:
RewriteEngine on
RewriteRule "^/crl/MasterCRL.crl$"
"/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL" [L,NC,PT]
It works the same for the master and clones without the need of publishing.
Thanks for your reminder of the availability of alternatives :)
On Thu, Sep 3, 2015 at 3:01 AM, John Magne <jmagne at redhat.com> wrote:
> Oh I see:
>
> There are a couple of alternatives, but the way the server works right now
> is to only allow the Master to publish:
>
> 1. Publish to ldap instead?
>
> 2. Have some sort of file watcher on the master and push out updates to
> the other hosts maybe.
>
>
>
> ----- Original Message -----
> > From: "Aleksey Chudov" <aleksey.chudov at gmail.com>
> > To: "John Magne" <jmagne at redhat.com>
> > Cc: pki-users at redhat.com
> > Sent: Wednesday, September 2, 2015 2:07:20 PM
> > Subject: Re: [Pki-users] CRL to file publishing on Clone CA
> >
> > To make it clear I have to tell a bit more about my CA scheme.
> >
> > I have three servers, Master CA + two Clone CAs. All three servers have
> > their own DNS names and also shared DNS name ca.local.mycompany.com. So,
> > ca.local.mycompany.com resolves to three ip addresses for load sharing
> and
> > high availability.
> >
> > All CA enrolled certificates contains extensions
> >
> > X509v3 CRL Distribution Points:
> > Full Name:
> > URI:http://ca.local.mycompany.com/crl/MasterCRL.crl
> >
> > Authority Information Access:
> > OCSP - URI:http://ca.local.mycompany.com
> > <http://ca.local.mycompany.com/crl/MasterCRL.crl>/ca/ocsp
> > <http://ca.service.local.odkl.ru/ca/ocsp>
> >
> >
> > There is no problems with OCSP. It works out of the box.
> >
> > http://ca.local.mycompany.com/crl/
> > <http://ca.local.mycompany.com/crl/MasterCRL.crl> URL internally points
> to
> > local directory on all three servers
> >
> > # grep -A1 crl /etc/pki/pki-tomcat/server.xml
> > <Context path="/crl"
> > docBase="/var/lib/pki/pki-tomcat/webapps/crl"
> > allowLinking="true"/>
> >
> > I need the CRL file to be available on all three servers for
> > http://ca.local.mycompany.com/crl/MasterCRL.crl URL to work. So, I have
> > configured CRL publishing to file in /var/lib/pki/pki-tomcat/webapps/crl
> > directory on all three servers. But only Master CA actually publishes
> CRLs.
> >
> > Is there a way to publish CRLs to file on Clone CA or I should sync
> > /var/lib/pki/pki-tomcat/webapps/crl directory from Master CA?
> >
> >
> >
> >
> > On Wed, Sep 2, 2015 at 10:17 PM, John Magne <jmagne at redhat.com> wrote:
> >
> > > Hi:
> > >
> > > I'm not sure what are try to accomplish.
> > > The way we have it now, only the master publishes anywhere.
> > >
> > >
> > > Is the concern over the internal OCSP of the cloned CA's
> > > or are you publishing to some external OSCP responders?
> > > If you are worried about the internal OCSP's of the clones,
> > > they should give the correct answers about a given cert through
> > > replication.
> > >
> > > If there is something else desired, let us know.
> > >
> > > thanks,
> > > jack
> > >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Aleksey Chudov" <aleksey.chudov at gmail.com>
> > > > To: pki-users at redhat.com
> > > > Sent: Wednesday, September 2, 2015 5:04:59 AM
> > > > Subject: [Pki-users] CRL to file publishing on Clone CA
> > > >
> > > > Hi,
> > > >
> > > > I have configured the same rules for CRL publishing on Master CA and
> two
> > > > Clone CAs
> > > >
> > > > +ca.publish.enable=true
> > > > +ca.publish.ldappublish.enable=false
> > > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
> > > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
> > > > +ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
> > > >
> > >
> +ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
> > > > +ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
> > > >
> > >
> +ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
> > > > +ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
> > > > +ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
> > > > +ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
> > > > +ca.publish.rule.instance.FileCrlRule.enable=true
> > > > +ca.publish.rule.instance.FileCrlRule.mapper=NoMap
> > > > +ca.publish.rule.instance.FileCrlRule.pluginName=Rule
> > > > +ca.publish.rule.instance.FileCrlRule.predicate=
> > > > +ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
> > > > +ca.publish.rule.instance.FileCrlRule.type=crl
> > > >
> > > > But only Master CA publishes CRLs to
> /var/lib/pki/pki-tomcat/webapps/crl
> > > > directory.
> > > >
> > > > According to documentation
> > > >
> > >
> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/9/html/Planning_Installation_and_Deployment_Guide/Cloning_a_Subsystem.html#cloning-for-cas
> > > > , only one replicated CA can generate, cache, and publish CRLs.
> > > >
> > > > What are the best practices of publishing CRLs on Clone CA? Should I
> just
> > > > sync CRL directory on both clones from master, or is there a better
> > > > approach?
> > > >
> > > > Aleksey
> > > >
> > > > _______________________________________________
> > > > Pki-users mailing list
> > > > Pki-users at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/pki-users
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150903/b48c8ad1/attachment.htm>
More information about the Pki-users
mailing list