Re: [Pki-users] CRL to file publishing on Clone CA

From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com&gt; To: "John Magne" <jmagne(a)redhat.com&gt; Cc: pki-users(a)redhat.com Sent: Wednesday, September 2, 2015 2:07:20 PM Subject: Re: [Pki-users] CRL to file publishing on Clone CA To make it clear I have to tell a bit more about my CA scheme. I have three servers, Master CA + two Clone CAs. All three servers have their own DNS names and also shared DNS name ca.local.mycompany.com. So, ca.local.mycompany.com resolves to three ip addresses for load sharing and high availability. All CA enrolled certificates contains extensions X509v3 CRL Distribution Points: Full Name: URI:http://ca.local.mycompany.com/crl/MasterCRL.crl Authority Information Access: OCSP - URI:http://ca.local.mycompany.com <http://ca.local.mycompany.com/crl/MasterCRL.crl>/ca/ocsp <http://ca.service.local.odkl.ru/ca/ocsp> There is no problems with OCSP. It works out of the box. http://ca.local.mycompany.com/crl/ <http://ca.local.mycompany.com/crl/MasterCRL.crl> URL internally points to local directory on all three servers # grep -A1 crl /etc/pki/pki-tomcat/server.xml <Context path="/crl" docBase="/var/lib/pki/pki-tomcat/webapps/crl" allowLinking="true"/> I need the CRL file to be available on all three servers for http://ca.local.mycompany.com/crl/MasterCRL.crl URL to work. So, I have configured CRL publishing to file in /var/lib/pki/pki-tomcat/webapps/crl directory on all three servers. But only Master CA actually publishes CRLs. Is there a way to publish CRLs to file on Clone CA or I should sync /var/lib/pki/pki-tomcat/webapps/crl directory from Master CA? On Wed, Sep 2, 2015 at 10:17 PM, John Magne <jmagne(a)redhat.com&gt; wrote: > Hi: > > I'm not sure what are try to accomplish. > The way we have it now, only the master publishes anywhere. > > > Is the concern over the internal OCSP of the cloned CA's > or are you publishing to some external OSCP responders? > If you are worried about the internal OCSP's of the clones, > they should give the correct answers about a given cert through > replication. > > If there is something else desired, let us know. > > thanks, > jack > > > > ----- Original Message ----- > > From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com&gt; > > To: pki-users(a)redhat.com > > Sent: Wednesday, September 2, 2015 5:04:59 AM > > Subject: [Pki-users] CRL to file publishing on Clone CA > > > > Hi, > > > > I have configured the same rules for CRL publishing on Master CA and two > > Clone CAs > > > > +ca.publish.enable=true > > +ca.publish.ldappublish.enable=false > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true > > +ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl > > > +ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl > > +ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true > > > +ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher > > +ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime > > +ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false > > +ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9 > > +ca.publish.rule.instance.FileCrlRule.enable=true > > +ca.publish.rule.instance.FileCrlRule.mapper=NoMap > > +ca.publish.rule.instance.FileCrlRule.pluginName=Rule > > +ca.publish.rule.instance.FileCrlRule.predicate= > > +ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher > > +ca.publish.rule.instance.FileCrlRule.type=crl > > > > But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl > > directory. > > > > According to documentation > > > https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/... > > , only one replicated CA can generate, cache, and publish CRLs. > > > > What are the best practices of publishing CRLs on Clone CA? Should I just > > sync CRL directory on both clones from master, or is there a better > > approach? > > > > Aleksey > > > > _______________________________________________ > > Pki-users mailing list > > Pki-users(a)redhat.com > > https://www.redhat.com/mailman/listinfo/pki-users >