-
Notifications
You must be signed in to change notification settings - Fork 147
Setting up CRL Database
Endi S. Dewata edited this page Jun 20, 2025
·
5 revisions
This page describes the process to set up a CRL database in LDAP which can be shared by CA and OCSP.
If necessary, the CRL database can be stored in a separate DS backend.
To create a new DS backend:
$ dsconf \
-D "cn=Directory Manager" \
-w Secret.123 \
ldap://ds.example.com:389 \
backend create \
--suffix=dc=crl,dc=pki,dc=example,dc=com \
--be-name=crl
To add the base entry:
$ ldapadd
-H ldap://ds.example.com:389 \
-x \
-D "cn=Directory Manager" \
-w Secret.123
dn: dc=crl,dc=pki,dc=example,dc=com
objectClass: domain
dc: crl
aci: (targetattr!="userPassword || aci")
(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
Verify that the CRL database can be accessed anonymously:
$ ldapsearch \
-H ldap://$HOSTNAME:389 \
-x \
-b "dc=crl,dc=pki,dc=example,dc=com"
If necessary, the CRL database can be replicated into multiple LDAP servers.
To enable replication in the primary database:
$ dsconf \
-D "cn=Directory Manager" \
-w Secret.123 \
ldap://primaryds.example.com:389 \
replication enable \
--suffix=dc=crl,dc=pki,dc=example,dc=com \
--role=supplier \
--replica-id=1 \
--bind-dn="cn=Replication Manager,cn=config" \
--bind-passwd=Secret.123
To enable replication in the secondary database:
$ dsconf \
-D "cn=Directory Manager" \
-w Secret.123 \
ldap://secondaryds.example.com:389 \
replication enable \
--suffix=dc=crl,dc=pki,dc=example,dc=com \
--role=supplier \
--replica-id=2 \
--bind-dn="cn=Replication Manager,cn=config" \
--bind-passwd=Secret.123
To create the replication agreement in the primary database:
$ dsconf \
-D "cn=Directory Manager" \
-w Secret.123 \
ldap://primaryds.example.com:389 \
repl-agmt create \
--suffix=dc=crl,dc=pki,dc=example,dc=com \
--host=secondaryds.example.com \
--port=389 \
--conn-protocol=LDAP \
--bind-dn="cn=Replication Manager,cn=config" \
--bind-passwd=Secret.123 \
--bind-method=SIMPLE \
primaryds-to-secondaryds
To create the replication agreement in the secondary database:
$ dsconf \
-D "cn=Directory Manager" \
-w Secret.123 \
ldap://secondaryds.example.com:389 \
repl-agmt create \
--suffix=dc=crl,dc=pki,dc=example,dc=com \
--host=primaryds.example.com \
--port=389 \
--conn-protocol=LDAP \
--bind-dn="cn=Replication Manager,cn=config" \
--bind-passwd=Secret.123 \
--bind-method=SIMPLE \
secondaryds-to-primaryds
To start the initialization:
$ dsconf \
-D "cn=Directory Manager" \
-w Secret.123 \
ldap://primaryds.example.com:389 \
repl-agmt init \
--suffix=dc=crl,dc=pki,dc=example,dc=com \
primaryds-to-secondaryds
Wait for the initialization to complete:
$ dsconf \
-D "cn=Directory Manager" \
-w Secret.123 \
ldap://primaryds.example.com:389 \
repl-agmt init-status \
--suffix=dc=crl,dc=pki,dc=example,dc=com \
primaryds-to-secondaryds
Agreement successfully initialized.
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |