Configuring CRL - dogtagpki/pki GitHub Wiki
CRL is enabled by default in CA. To enable CRL manually:
$ pki-server ca-config-set ca.crl.MasterCRL.enable true $ pki-server ca-config-set ca.crl.MasterCRL.enableCRLCache true $ pki-server ca-config-set ca.crl.MasterCRL.enableCRLUpdates true $ pki-server ca-config-set ca.transitRecordPageSize 200 $ pki-server ca-config-set ca.transitMaxRecords 1000000 $ pki-server ca-config-set ca.certStatusUpdateInterval 600
To enable delta CRL:
$ pki-server ca-config-set ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable true
The server must be restarted.
To change the CRL number, execute the following command:
$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=dc=example,dc=com changetype: modify replace: crlNumber crlNumber: <CRL number> EOF
Then restart the server.
ca.crl.pageSize=100 ca.crl.MasterCRL.allowExtensions=true ca.crl.MasterCRL.alwaysUpdate=false ca.crl.MasterCRL.caCertsOnly=false ca.crl.MasterCRL.cacheUpdateInterval=15 ca.crl.MasterCRL.unexpectedExceptionWaitTime=30 ca.crl.MasterCRL.unexpectedExceptionLoopMax=10 ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint ca.crl.MasterCRL.description=CA's complete Certificate Revocation List ca.crl.MasterCRL.enableCRLCache=true ca.crl.MasterCRL.enableCRLUpdates=true ca.crl.MasterCRL.enableCacheTesting=false ca.crl.MasterCRL.enableCacheRecovery=true ca.crl.MasterCRL.extendedNextUpdate=true ca.crl.MasterCRL.includeExpiredCerts=false ca.crl.MasterCRL.minUpdateInterval=0 ca.crl.MasterCRL.nextUpdateGracePeriod=0 ca.crl.MasterCRL.publishOnStart=false ca.crl.MasterCRL.saveMemory=false ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA ca.crl.MasterCRL.updateSchema=1
By default CRL will be generated even if there’s no revoked certificate:
ca.crl.MasterCRL.noCRLIfNoRevokedCert=false
$ pki-server ca-config-set ca-config-set ca.certStatusUpdateInterval 0 $ pki-server ca-config-set ca-config-set ca.listenToCloneModifications false $ pki-server ca-config-set ca-config-set ca.crl.MasterCRL.enableCRLCache false $ pki-server ca-config-set ca-config-set ca.crl.MasterCRL.enableCRLUpdates false