-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring LDAP based CRL Publishing
Endi S. Dewata edited this page Jan 22, 2022
·
12 revisions
This page describes the process to configure LDAP-based CRL publishing in CA.
The CRL publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
To enable CRL publishing:
ca.publish.enable=true
To configure LDAP-based CRL publisher:
ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass=pkiCA ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher
To configure LDAP connection:
ca.publish.ldappublish.enable=true ca.publish.ldappublish.ldap.ldapauth.authtype=BasicAuth ca.publish.ldappublish.ldap.ldapauth.bindDN=cn=Directory Manager ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt=internaldb ca.publish.ldappublish.ldap.ldapauth.clientCertNickname= ca.publish.ldappublish.ldap.ldapconn.host=localhost.localdomain ca.publish.ldappublish.ldap.ldapconn.port=389 ca.publish.ldappublish.ldap.ldapconn.secureConn=false
To configure CRL mapper:
ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true ca.publish.mapper.instance.LdapCrlMap.dnPattern=cn=$subj.cn,dc=example,dc=com ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap
To configure publishing rule:
ca.publish.rule.instance.LdapCrlRule.enable=true ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap ca.publish.rule.instance.LdapCrlRule.pluginName=Rule ca.publish.rule.instance.LdapCrlRule.predicate=issuingPointId==MasterCRL ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher ca.publish.rule.instance.LdapCrlRule.type=crl
By default the CRL is only updated at scheduled times. To update the CRL on each revocation:
ca.crl.MasterCRL.alwaysUpdate=true
Finally, restart the server.
To retrieve the published CRL:
$ ldapsearch \
-h $HOSTNAME \
-p 389 \
-x \
-D "cn=Directory Manager" \
-w Secret.123 \
-b "cn=Certificate Authority,dc=example,dc=com" \
-t \
certificateRevocationList
dn: cn=Certificate Authority,dc=example,dc=com
certificateRevocationList;binary:< file://<path>
To view the published CRL:
$ openssl crl -text -noout -in <path>
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |