7:04 a.m.
Hi,
I have configured the same rules for CRL publishing on Master CA and two
Clone CAs
+ca.publish.enable=true
+ca.publish.ldappublish.enable=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
+ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
+ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
+ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
+ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
+ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
+ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
+ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
+ca.publish.rule.instance.FileCrlRule.enable=true
+ca.publish.rule.instance.FileCrlRule.mapper=NoMap
+ca.publish.rule.instance.FileCrlRule.pluginName=Rule
+ca.publish.rule.instance.FileCrlRule.predicate=
+ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
+ca.publish.rule.instance.FileCrlRule.type=crl
But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl
directory.
According to documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...,
only one replicated CA can generate, cache, and publish CRLs.
What are the best practices of publishing CRLs on Clone CA? Should I just
sync CRL directory on both clones from master, or is there a better
approach?
Aleksey
2:17 p.m.
Hi:
I'm not sure what are try to accomplish.
The way we have it now, only the master publishes anywhere.
Is the concern over the internal OCSP of the cloned CA's
or are you publishing to some external OSCP responders?
If you are worried about the internal OCSP's of the clones,
they should give the correct answers about a given cert through replication.
If there is something else desired, let us know.
thanks,
jack
----- Original Message -----
From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com>
To: pki-users(a)redhat.com
Sent: Wednesday, September 2, 2015 5:04:59 AM
Subject: [Pki-users] CRL to file publishing on Clone CA
Hi,
I have configured the same rules for CRL publishing on Master CA and two
Clone CAs
+ca.publish.enable=true
+ca.publish.ldappublish.enable=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
+ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
+ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
+ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
+ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
+ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
+ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
+ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
+ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
+ca.publish.rule.instance.FileCrlRule.enable=true
+ca.publish.rule.instance.FileCrlRule.mapper=NoMap
+ca.publish.rule.instance.FileCrlRule.pluginName=Rule
+ca.publish.rule.instance.FileCrlRule.predicate=
+ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
+ca.publish.rule.instance.FileCrlRule.type=crl
But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl
directory.
According to documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
, only one replicated CA can generate, cache, and publish CRLs.
What are the best practices of publishing CRLs on Clone CA? Should I just
sync CRL directory on both clones from master, or is there a better
approach?
Aleksey
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
4:07 p.m.
To make it clear I have to tell a bit more about my CA scheme.
I have three servers, Master CA + two Clone CAs. All three servers have
their own DNS names and also shared DNS name ca.local.mycompany.com. So,
ca.local.mycompany.com resolves to three ip addresses for load sharing and
high availability.
All CA enrolled certificates contains extensions
X509v3 CRL Distribution Points:
Full Name:
URI:http://ca.local.mycompany.com/crl/MasterCRL.crl
Authority Information Access:
OCSP - URI:http://ca.local.mycompany.com
<http://ca.local.mycompany.com/crl/MasterCRL.crl>/ca/ocsp
<http://ca.service.local.odkl.ru/ca/ocsp>
There is no problems with OCSP. It works out of the box.
http://ca.local.mycompany.com/crl/
<http://ca.local.mycompany.com/crl/MasterCRL.crl> URL internally points to
local directory on all three servers
# grep -A1 crl /etc/pki/pki-tomcat/server.xml
<Context path="/crl"
docBase="/var/lib/pki/pki-tomcat/webapps/crl"
allowLinking="true"/>
I need the CRL file to be available on all three servers for
http://ca.local.mycompany.com/crl/MasterCRL.crl URL to work. So, I have
configured CRL publishing to file in /var/lib/pki/pki-tomcat/webapps/crl
directory on all three servers. But only Master CA actually publishes CRLs.
Is there a way to publish CRLs to file on Clone CA or I should sync
/var/lib/pki/pki-tomcat/webapps/crl directory from Master CA?
On Wed, Sep 2, 2015 at 10:17 PM, John Magne <jmagne(a)redhat.com> wrote:
Hi:
I'm not sure what are try to accomplish.
The way we have it now, only the master publishes anywhere.
Is the concern over the internal OCSP of the cloned CA's
or are you publishing to some external OSCP responders?
If you are worried about the internal OCSP's of the clones,
they should give the correct answers about a given cert through
replication.
If there is something else desired, let us know.
thanks,
jack
----- Original Message -----
> From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com>
> To: pki-users(a)redhat.com
> Sent: Wednesday, September 2, 2015 5:04:59 AM
> Subject: [Pki-users] CRL to file publishing on Clone CA
>
> Hi,
>
> I have configured the same rules for CRL publishing on Master CA and two
> Clone CAs
>
> +ca.publish.enable=true
> +ca.publish.ldappublish.enable=false
> +ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
> +ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
> +ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
>
+ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
> +ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
>
+ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
> +ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
> +ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
> +ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
> +ca.publish.rule.instance.FileCrlRule.enable=true
> +ca.publish.rule.instance.FileCrlRule.mapper=NoMap
> +ca.publish.rule.instance.FileCrlRule.pluginName=Rule
> +ca.publish.rule.instance.FileCrlRule.predicate=
> +ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
> +ca.publish.rule.instance.FileCrlRule.type=crl
>
> But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl
> directory.
>
> According to documentation
>
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
> , only one replicated CA can generate, cache, and publish CRLs.
>
> What are the best practices of publishing CRLs on Clone CA? Should I just
> sync CRL directory on both clones from master, or is there a better
> approach?
>
> Aleksey
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
7:01 p.m.
Oh I see:
There are a couple of alternatives, but the way the server works right now
is to only allow the Master to publish:
1. Publish to ldap instead?
2. Have some sort of file watcher on the master and push out updates to the other hosts
maybe.
----- Original Message -----
From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Wednesday, September 2, 2015 2:07:20 PM
Subject: Re: [Pki-users] CRL to file publishing on Clone CA
To make it clear I have to tell a bit more about my CA scheme.
I have three servers, Master CA + two Clone CAs. All three servers have
their own DNS names and also shared DNS name ca.local.mycompany.com. So,
ca.local.mycompany.com resolves to three ip addresses for load sharing and
high availability.
All CA enrolled certificates contains extensions
X509v3 CRL Distribution Points:
Full Name:
URI:http://ca.local.mycompany.com/crl/MasterCRL.crl
Authority Information Access:
OCSP - URI:http://ca.local.mycompany.com
<http://ca.local.mycompany.com/crl/MasterCRL.crl>/ca/ocsp
<http://ca.service.local.odkl.ru/ca/ocsp>
There is no problems with OCSP. It works out of the box.
http://ca.local.mycompany.com/crl/
<http://ca.local.mycompany.com/crl/MasterCRL.crl> URL internally points to
local directory on all three servers
# grep -A1 crl /etc/pki/pki-tomcat/server.xml
<Context path="/crl"
docBase="/var/lib/pki/pki-tomcat/webapps/crl"
allowLinking="true"/>
I need the CRL file to be available on all three servers for
http://ca.local.mycompany.com/crl/MasterCRL.crl URL to work. So, I have
configured CRL publishing to file in /var/lib/pki/pki-tomcat/webapps/crl
directory on all three servers. But only Master CA actually publishes CRLs.
Is there a way to publish CRLs to file on Clone CA or I should sync
/var/lib/pki/pki-tomcat/webapps/crl directory from Master CA?
On Wed, Sep 2, 2015 at 10:17 PM, John Magne <jmagne(a)redhat.com> wrote:
> Hi:
>
> I'm not sure what are try to accomplish.
> The way we have it now, only the master publishes anywhere.
>
>
> Is the concern over the internal OCSP of the cloned CA's
> or are you publishing to some external OSCP responders?
> If you are worried about the internal OCSP's of the clones,
> they should give the correct answers about a given cert through
> replication.
>
> If there is something else desired, let us know.
>
> thanks,
> jack
>
>
>
> ----- Original Message -----
> > From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com>
> > To: pki-users(a)redhat.com
> > Sent: Wednesday, September 2, 2015 5:04:59 AM
> > Subject: [Pki-users] CRL to file publishing on Clone CA
> >
> > Hi,
> >
> > I have configured the same rules for CRL publishing on Master CA and two
> > Clone CAs
> >
> > +ca.publish.enable=true
> > +ca.publish.ldappublish.enable=false
> > +ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
> > +ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
> > +ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
> >
>
+ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
> > +ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
> >
> +ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
> > +ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
> > +ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
> > +ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
> > +ca.publish.rule.instance.FileCrlRule.enable=true
> > +ca.publish.rule.instance.FileCrlRule.mapper=NoMap
> > +ca.publish.rule.instance.FileCrlRule.pluginName=Rule
> > +ca.publish.rule.instance.FileCrlRule.predicate=
> > +ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
> > +ca.publish.rule.instance.FileCrlRule.type=crl
> >
> > But only Master CA publishes CRLs to /var/lib/pki/pki-tomcat/webapps/crl
> > directory.
> >
> > According to documentation
> >
>
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
> > , only one replicated CA can generate, cache, and publish CRLs.
> >
> > What are the best practices of publishing CRLs on Clone CA? Should I just
> > sync CRL directory on both clones from master, or is there a better
> > approach?
> >
> > Aleksey
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
3:18 a.m.
Actually I do not like the idea of directory synchronization by using some
third-party script. So, I found an alternative solution instead of
publishing CRL to file.
My PKI CA subsystem listen on default ports 8080 and 8443. And I use Apache
mod_proxy for PKI CA to be available on standard ports 80 and 443.
All I have to do is add a bit of Apache mod_rewrite magic:
RewriteEngine on
RewriteRule "^/crl/MasterCRL.crl$"
"/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL" [L,NC,PT]
It works the same for the master and clones without the need of publishing.
Thanks for your reminder of the availability of alternatives :)
On Thu, Sep 3, 2015 at 3:01 AM, John Magne <jmagne(a)redhat.com> wrote:
Oh I see:
There are a couple of alternatives, but the way the server works right now
is to only allow the Master to publish:
1. Publish to ldap instead?
2. Have some sort of file watcher on the master and push out updates to
the other hosts maybe.
----- Original Message -----
> From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com>
> To: "John Magne" <jmagne(a)redhat.com>
> Cc: pki-users(a)redhat.com
> Sent: Wednesday, September 2, 2015 2:07:20 PM
> Subject: Re: [Pki-users] CRL to file publishing on Clone CA
>
> To make it clear I have to tell a bit more about my CA scheme.
>
> I have three servers, Master CA + two Clone CAs. All three servers have
> their own DNS names and also shared DNS name ca.local.mycompany.com. So,
> ca.local.mycompany.com resolves to three ip addresses for load sharing
and
> high availability.
>
> All CA enrolled certificates contains extensions
>
> X509v3 CRL Distribution Points:
> Full Name:
> URI:http://ca.local.mycompany.com/crl/MasterCRL.crl
>
> Authority Information Access:
> OCSP - URI:http://ca.local.mycompany.com
> <http://ca.local.mycompany.com/crl/MasterCRL.crl>/ca/ocsp
> <http://ca.service.local.odkl.ru/ca/ocsp>
>
>
> There is no problems with OCSP. It works out of the box.
>
> http://ca.local.mycompany.com/crl/
> <http://ca.local.mycompany.com/crl/MasterCRL.crl> URL internally points
to
> local directory on all three servers
>
> # grep -A1 crl /etc/pki/pki-tomcat/server.xml
> <Context path="/crl"
> docBase="/var/lib/pki/pki-tomcat/webapps/crl"
> allowLinking="true"/>
>
> I need the CRL file to be available on all three servers for
> http://ca.local.mycompany.com/crl/MasterCRL.crl URL to work. So, I have
> configured CRL publishing to file in /var/lib/pki/pki-tomcat/webapps/crl
> directory on all three servers. But only Master CA actually publishes
CRLs.
>
> Is there a way to publish CRLs to file on Clone CA or I should sync
> /var/lib/pki/pki-tomcat/webapps/crl directory from Master CA?
>
>
>
>
> On Wed, Sep 2, 2015 at 10:17 PM, John Magne <jmagne(a)redhat.com> wrote:
>
> > Hi:
> >
> > I'm not sure what are try to accomplish.
> > The way we have it now, only the master publishes anywhere.
> >
> >
> > Is the concern over the internal OCSP of the cloned CA's
> > or are you publishing to some external OSCP responders?
> > If you are worried about the internal OCSP's of the clones,
> > they should give the correct answers about a given cert through
> > replication.
> >
> > If there is something else desired, let us know.
> >
> > thanks,
> > jack
> >
> >
> >
> > ----- Original Message -----
> > > From: "Aleksey Chudov" <aleksey.chudov(a)gmail.com>
> > > To: pki-users(a)redhat.com
> > > Sent: Wednesday, September 2, 2015 5:04:59 AM
> > > Subject: [Pki-users] CRL to file publishing on Clone CA
> > >
> > > Hi,
> > >
> > > I have configured the same rules for CRL publishing on Master CA and
two
> > > Clone CAs
> > >
> > > +ca.publish.enable=true
> > > +ca.publish.ldappublish.enable=false
> > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.b64=false
> > > +ca.publish.publisher.instance.FileCrlPublisher.Filename.der=true
> > > +ca.publish.publisher.instance.FileCrlPublisher.crlLinkExt=crl
> > >
> >
+ca.publish.publisher.instance.FileCrlPublisher.directory=/var/lib/pki/pki-tomcat/webapps/crl
> > > +ca.publish.publisher.instance.FileCrlPublisher.latestCrlLink=true
> > >
> >
+ca.publish.publisher.instance.FileCrlPublisher.pluginName=FileBasedPublisher
> > > +ca.publish.publisher.instance.FileCrlPublisher.timeStamp=LocalTime
> > > +ca.publish.publisher.instance.FileCrlPublisher.zipCRLs=false
> > > +ca.publish.publisher.instance.FileCrlPublisher.zipLevel=9
> > > +ca.publish.rule.instance.FileCrlRule.enable=true
> > > +ca.publish.rule.instance.FileCrlRule.mapper=NoMap
> > > +ca.publish.rule.instance.FileCrlRule.pluginName=Rule
> > > +ca.publish.rule.instance.FileCrlRule.predicate=
> > > +ca.publish.rule.instance.FileCrlRule.publisher=FileCrlPublisher
> > > +ca.publish.rule.instance.FileCrlRule.type=crl
> > >
> > > But only Master CA publishes CRLs to
/var/lib/pki/pki-tomcat/webapps/crl
> > > directory.
> > >
> > > According to documentation
> > >
> >
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/...
> > > , only one replicated CA can generate, cache, and publish CRLs.
> > >
> > > What are the best practices of publishing CRLs on Clone CA? Should I
just
> > > sync CRL directory on both clones from master, or is there a better
> > > approach?
> > >
> > > Aleksey
> > >
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users(a)redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> >
>
3338
days inactive
3339
days old
4 comments
2 participants
participants (2)
-
Aleksey Chudov -
John Magne