-
Notifications
You must be signed in to change notification settings - Fork 137
Configuring LDAP based CRL Publishing
Endi S. Dewata edited this page Jan 24, 2022
·
12 revisions
This page describes the process to configure LDAP-based CRL publishing in CA.
The CRL publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
.
To enable CRL publishing:
ca.publish.enable=true
To configure LDAP-based CRL publisher:
ca.publish.publisher.instance.LdapCrlPublisher.crlAttr=certificateRevocationList;binary ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass=pkiCA ca.publish.publisher.instance.LdapCrlPublisher.pluginName=LdapCrlPublisher
To configure LDAP connection:
ca.publish.ldappublish.enable=true ca.publish.ldappublish.ldap.ldapauth.authtype=BasicAuth ca.publish.ldappublish.ldap.ldapauth.bindDN=cn=Directory Manager ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt=internaldb ca.publish.ldappublish.ldap.ldapauth.clientCertNickname= ca.publish.ldappublish.ldap.ldapconn.host=localhost.localdomain ca.publish.ldappublish.ldap.ldapconn.port=389 ca.publish.ldappublish.ldap.ldapconn.secureConn=false
To configure CRL mapper:
ca.publish.mapper.instance.LdapCrlMap.createCAEntry=true ca.publish.mapper.instance.LdapCrlMap.dnPattern=cn=$subj.cn,dc=example,dc=com ca.publish.mapper.instance.LdapCrlMap.pluginName=LdapCaSimpleMap
To configure CRL publishing rule:
ca.publish.rule.instance.LdapCrlRule.enable=true ca.publish.rule.instance.LdapCrlRule.mapper=LdapCrlMap ca.publish.rule.instance.LdapCrlRule.pluginName=Rule ca.publish.rule.instance.LdapCrlRule.predicate=issuingPointId==MasterCRL ca.publish.rule.instance.LdapCrlRule.publisher=LdapCrlPublisher ca.publish.rule.instance.LdapCrlRule.type=crl
To simplify testing, the buffer size for revocation checking can be set to 0
so that each certificate revocation will take effect immediately:
auths.revocationChecking.bufferSize=0
Also by default the CRL is only updated at scheduled times. To update the CRL immediately on each certificate revocation:
ca.crl.MasterCRL.alwaysUpdate=true
Finally, restart the server.
To retrieve the published CRL:
$ ldapsearch \ -h $HOSTNAME \ -p 389 \ -x \ -D "cn=Directory Manager" \ -w Secret.123 \ -b "cn=Certificate Authority,dc=example,dc=com" \ -t \ certificateRevocationList dn: cn=Certificate Authority,dc=example,dc=com certificateRevocationList;binary:< file://<path>
To view the published CRL:
$ openssl crl \ -in <path> \ -inform DER \ -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate Last Update: Jan 22 00:56:35 2022 GMT Next Update: Jan 22 01:00:00 2022 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:6E:27:EA:CC:40:91:88:35:C7:B0:60:45:B3:2C:6A:74:0B:BF:EE:8A X509v3 CRL Number: 2 Revoked Certificates: Serial Number: 07 Revocation Date: Jan 22 00:56:35 2022 GMT CRL entry extensions: X509v3 CRL Reason Code: Certificate Hold Signature Algorithm: sha256WithRSAEncryption 2d:3f:c1:4d:d4:0a:39:a2:bf:ce:bc:12:96:46:b4:c6:c5:8c: 65:fb:fe:ea:9b:b1:a3:df:7b:a4:b0:57:9d:d8:55:a4:39:b4: 5a:17:d7:0a:93:4d:7e:0c:0e:da:87:b1:18:5f:21:96:d4:1e: c5:3c:ae:07:87:56:e4:30:fc:06:ea:c7:da:61:fd:ea:b6:b1: fa:24:bf:54:f0:32:ea:1d:65:91:58:4e:83:fe:50:72:4a:cc: 37:4b:61:db:43:c9:9b:74:25:e6:64:93:a4:23:02:ba:b9:64: 4e:99:5f:12:d6:81:d0:bb:52:b7:df:6e:0d:f3:60:98:9a:0f: 86:e0:da:77:f9:5c:8b:d7:68:92:10:54:cf:10:0b:41:01:e5: b9:aa:44:9f:34:bb:18:36:13:5d:4f:02:38:48:24:b2:c2:72: 60:18:a4:64:65:10:dc:4a:30:ae:71:e6:9b:b4:de:0a:c7:fc: 4f:a1:d7:68:b6:8b:bf:dd:08:24:ab:8e:28:e8:ef:20:ce:24: 83:48:65:4f:c2:f0:04:19:08:fd:5b:30:94:b6:d6:71:30:45: 2d:25:63:5b:e2:7d:bd:f0:c0:2c:1b:f6:da:a6:93:05:21:fd: 78:ba:a5:a3:ed:88:f5:fb:c9:f0:e5:b0:e3:e9:9a:c0:00:e9: 44:b2:4a:83
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |