Actually I do not like the idea of directory synchronization by using some
third-party script. So, I found an alternative solution instead of
publishing CRL to file.
My PKI CA subsystem listen on default ports 8080 and 8443. And I use Apache
mod_proxy for PKI CA to be available on standard ports 80 and 443.
All I have to do is add a bit of Apache mod_rewrite magic:
RewriteEngine on
RewriteRule "^/crl/MasterCRL.crl$"
"/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL" [L,NC,PT]
It works the same for the master and clones without the need of publishing.
Thanks for your reminder of the availability of alternatives :)
On Thu, Sep 3, 2015 at 3:01 AM, John Magne <jmagne(a)redhat.com> wrote:
Oh I see:
There are a couple of alternatives, but the way the server works right now
is to only allow the Master to publish:
1. Publish to ldap instead?
2. Have some sort of file watcher on the master and push out updates to
the other hosts maybe.
----- Original Message -----
> From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com>
> To: "John Magne" <jmagne(a)redhat.com>
> Cc: pki-users(a)redhat.com
> Sent: Wednesday, September 2, 2015 2:07:20 PM
> Subject: Re: [Pki-users] CRL to file publishing on Clone CA
>
> To make it clear I have to tell a bit more about my CA scheme.
>
> I have three servers, Master CA + two Clone CAs. All three servers have
> their own DNS names and also shared DNS name
ca.local.mycompany.com. So,
>
ca.local.mycompany.com resolves to three ip addresses for load sharing
and
> high availability.
>
> All CA enrolled certificates contains extensions
>
> X509v3 CRL Distribution Points:
> Full Name:
>
URI:http://ca.local.mycompany.com/crl/MasterCRL.crl
>
> Authority Information Access:
> OCSP -
URI:http://ca.local.mycompany.com
> <
http://ca.local.mycompany.com/crl/MasterCRL.crl>/ca/ocsp
> <
http://ca.service.local.odkl.ru/ca/ocsp>
>
>
> There is no problems with OCSP. It works out of the box.
>
>
http://ca.local.mycompany.com/crl/
> <
http://ca.local.mycompany.com/crl/MasterCRL.crl> URL internally points
to
> local directory on all three servers
>
> # grep -A1 crl /etc/pki/pki-tomcat/server.xml
> <Context path="/crl"
> docBase="/var/lib/pki/pki-tomcat/webapps/crl"
> allowLinking="true"/>
>
> I need the CRL file to be available on all three servers for
>
http://ca.local.mycompany.com/crl/MasterCRL.crl URL to work. So, I have
> configured CRL publishing to file in /var/lib/pki/pki-tomcat/webapps/crl
> directory on all three servers. But only Master CA actually publishes
CRLs.
>
> Is there a way to publish CRLs to file on Clone CA or I should sync
> /var/lib/pki/pki-tomcat/webapps/crl directory from Master CA?
>
>
>
>
> On Wed, Sep 2, 2015 at 10:17 PM, John Magne <jmagne(a)redhat.com> wrote:
>
> > Hi:
> >
> > I'm not sure what are try to accomplish.
> > The way we have it now, only the master publishes anywhere.
> >
> >
> > Is the concern over the internal OCSP of the cloned CA's
> > or are you publishing to some external OSCP responders?
> > If you are worried about the internal OCSP's of the clones,
> > they should give the correct answers about a given cert through
> > replication.
> >
> > If there is something else desired, let us know.
> >
> > thanks,
> > jack
> >
> >
> >
> > ----- Original Message -----
> > > From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com>
> > > To: pki-users(a)redhat.com
> > > Sent: Wednesday, September 2, 2015 5:04:59 AM
> > > Subject: [Pki-users] CRL to file publishing on Clone CA
> > >
> > > Hi,
> > >
> > > I have configured the same rules for CRL publishing on Master CA and
two
> > > Clone CAs
> > >
> > > +ca.publish.enable=true
> > > +ca.publish.ldappublish.enable=false
> > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
> > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
> > > +ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
> > >
> >
+ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
> > > +ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
> > >
> >
+ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
> > > +ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
> > > +ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
> > > +ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
> > > +ca.publish.rule.instance.FileCrlRule.enable=true
> > > +ca.publish.rule.instance.FileCrlRule.mapper=NoMap
> > > +ca.publish.rule.instance.FileCrlRule.pluginName=Rule
> > > +ca.publish.rule.instance.FileCrlRule.predicate=
> > > +ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
> > > +ca.publish.rule.instance.FileCrlRule.type=crl
> > >
> > > But only Master CA publishes CRLs to
/var/lib/pki/pki-tomcat/webapps/crl
> > > directory.
> > >
> > > According to documentation
> > >
> >
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
> > > , only one replicated CA can generate, cache, and publish CRLs.
> > >
> > > What are the best practices of publishing CRLs on Clone CA? Should I
just
> > > sync CRL directory on both clones from master, or is there a better
> > > approach?
> > >
> > > Aleksey
> > >
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users(a)redhat.com
> > >
https://www.redhat.com/mailman/listinfo/pki-users
> >
>