-
Notifications
You must be signed in to change notification settings - Fork 137
Publishing CRL to LDAP Server
This page describes the process to configure CA to publish CRL to an LDAP server.
To configure OCSP responder to get the CRL from an LDAP server, see:
Prepare a CRL publishing subtree:
$ ldapadd \ -H ldap://$HOSTNAME:389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 dn: dc=crl,dc=pki,dc=example,dc=com objectClass: domain dc: crl
The CRL publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
.
To configure the LDAP connection:
$ pki-server ca-config-set ca.publish.ldappublish.enable true $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.host $HOSTNAME $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.port 389 $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.secureConn false $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.authtype BasicAuth $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindDN "cn=Directory Manager" $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt internaldb $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.clientCertNickname ""
To configure LDAP-based CRL publisher:
$ pki-server ca-config-set ca.publish.publisher.instance.LdapCrlPublisher.crlAttr "certificateRevocationList;binary" $ pki-server ca-config-set ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass pkiCA $ pki-server ca-config-set ca.publish.publisher.instance.LdapCrlPublisher.pluginName LdapCrlPublisher
To configure CRL mapper:
$ pki-server ca-config-set ca.publish.mapper.instance.LdapCrlMap.createCAEntry true $ pki-server ca-config-set ca.publish.mapper.instance.LdapCrlMap.dnPattern "cn=\$subj.cn,dc=crl,dc=pki,dc=example,dc=com" $ pki-server ca-config-set ca.publish.mapper.instance.LdapCrlMap.pluginName LdapCaSimpleMap
To configure CRL publishing rule:
$ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.enable true $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.mapper LdapCrlMap $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.pluginName Rule $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.predicate "" $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.publisher LdapCrlPublisher $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.type crl
To enable CRL publishing:
$ pki-server ca-config-set ca.publish.enable true
To simplify testing, the buffer size for revocation checking can be set to 0
so that each certificate revocation will take effect immediately:
$ pki-server ca-config-set auths.revocationChecking.bufferSize 0
Also by default the CRL is only updated at scheduled times. To update the CRL immediately on each certificate revocation:
$ pki-server ca-config-set ca.crl.MasterCRL.alwaysUpdate true
Finally, restart the server.
To retrieve the published CRL:
$ ldapsearch \ -H ldap://$HOSTNAME:389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 \ -b "cn=crl,dc=example,dc=com" \ -o ldif_wrap=no \ -t \ "(objectClass=pkiCA)" dn: cn=CA Signing Certificate,dc=crl,dc=pki,dc=example,dc=com cn: CA Signing Certificate sn: CA Signing Certificate objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: pkiCA certificateRevocationList;binary:< file://<path>
To view the published CRL:
$ openssl crl \ -in <path> \ -inform DER \ -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate Last Update: Jan 22 00:56:35 2022 GMT Next Update: Jan 22 01:00:00 2022 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:6E:27:EA:CC:40:91:88:35:C7:B0:60:45:B3:2C:6A:74:0B:BF:EE:8A X509v3 CRL Number: 2 Revoked Certificates: Serial Number: 07 Revocation Date: Jan 22 00:56:35 2022 GMT CRL entry extensions: X509v3 CRL Reason Code: Certificate Hold Signature Algorithm: sha256WithRSAEncryption 2d:3f:c1:4d:d4:0a:39:a2:bf:ce:bc:12:96:46:b4:c6:c5:8c: 65:fb:fe:ea:9b:b1:a3:df:7b:a4:b0:57:9d:d8:55:a4:39:b4: 5a:17:d7:0a:93:4d:7e:0c:0e:da:87:b1:18:5f:21:96:d4:1e: c5:3c:ae:07:87:56:e4:30:fc:06:ea:c7:da:61:fd:ea:b6:b1: fa:24:bf:54:f0:32:ea:1d:65:91:58:4e:83:fe:50:72:4a:cc: 37:4b:61:db:43:c9:9b:74:25:e6:64:93:a4:23:02:ba:b9:64: 4e:99:5f:12:d6:81:d0:bb:52:b7:df:6e:0d:f3:60:98:9a:0f: 86:e0:da:77:f9:5c:8b:d7:68:92:10:54:cf:10:0b:41:01:e5: b9:aa:44:9f:34:bb:18:36:13:5d:4f:02:38:48:24:b2:c2:72: 60:18:a4:64:65:10:dc:4a:30:ae:71:e6:9b:b4:de:0a:c7:fc: 4f:a1:d7:68:b6:8b:bf:dd:08:24:ab:8e:28:e8:ef:20:ce:24: 83:48:65:4f:c2:f0:04:19:08:fd:5b:30:94:b6:d6:71:30:45: 2d:25:63:5b:e2:7d:bd:f0:c0:2c:1b:f6:da:a6:93:05:21:fd: 78:ba:a5:a3:ed:88:f5:fb:c9:f0:e5:b0:e3:e9:9a:c0:00:e9: 44:b2:4a:83
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |