-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: test CRL publishing is working #329
Comments
I guess I'd want to see what the outcome of https://pagure.io/freeipa/issue/9505 is first. If there is or can be some fundamental issue in generating the CRL then it's something we should check. |
The findings are that we need a check to ensure that the CRL generator server either has ca.certStatusUpdateInterval not present or greater than zero. The default is 600 seconds. If it is 0 then the cert status is not updated on this server. I imagine but didn't validate that a negative value would not be ideal. |
Oh and additionally require that ca.certStatusUpdateInterval=0 on non-CRL generators. The reason being avoiding replication conflicts. |
Unless I've missed something there doesn't seem to be a health check for CRL publishing.
This would:
https://$HOSTNAME
and obtain TLS server certificateopenssl x509 -in foo.crt -ext crlDistributionPoints -noout
)http://ipa-ca.$suffix/ipa/crl/MasterCRL.bin
)$HOSTNAME
openssl crl -in MasterCRL.bin -inform der -CAfile /etc/ipa/ca.crt -noout -lastupdate -nextupdate
)ca.certStatusUpdateInterval
in/etc/pki/pki-tomcat/ca/CS.cfg
is consistent with the server's status as a CRL generator (https://issues.redhat.com/browse/RHEL-30280)I'll implement if you think that sounds useful.
The text was updated successfully, but these errors were encountered: