Publishing CRL to File System - dogtagpki/pki GitHub Wiki
This page describes the process to configure CA to publish CRLs to a file system.
To prepare the publishing folder execute the following commands:
$ mkdir /var/lib/pki/pki-tomcat/crl $ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/crl
The CRL publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
To configure file-based CRL publisher:
$ pki-server ca-config-set ca.publish.publisher.instance.FileBasedPublisher.pluginName FileBasedPublisher $ pki-server ca-config-set ca.publish.publisher.instance.FileBasedPublisher.crlLinkExt bin $ pki-server ca-config-set ca.publish.publisher.instance.FileBasedPublisher.directory /var/lib/pki/pki-tomcat/crl $ pki-server ca-config-set ca.publish.publisher.instance.FileBasedPublisher.latestCrlLink true $ pki-server ca-config-set ca.publish.publisher.instance.FileBasedPublisher.timeStamp LocalTime $ pki-server ca-config-set ca.publish.publisher.instance.FileBasedPublisher.zipCRLs false $ pki-server ca-config-set ca.publish.publisher.instance.FileBasedPublisher.zipLevel 9 $ pki-server ca-config-set ca.publish.publisher.instance.FileBasedPublisher.Filename.b64 false $ pki-server ca-config-set ca.publish.publisher.instance.FileBasedPublisher.Filename.der true
To configure CRL publishing rule:
$ pki-server ca-config-set ca.publish.rule.instance.FileCrlRule.enable true $ pki-server ca-config-set ca.publish.rule.instance.FileCrlRule.mapper NoMap $ pki-server ca-config-set ca.publish.rule.instance.FileCrlRule.pluginName Rule $ pki-server ca-config-set ca.publish.rule.instance.FileCrlRule.predicate "" $ pki-server ca-config-set ca.publish.rule.instance.FileCrlRule.publisher FileBasedPublisher $ pki-server ca-config-set ca.publish.rule.instance.FileCrlRule.type crl
To enable CRL publishing:
$ pki-server ca-config-set ca.publish.enable true
To simplify testing, the buffer size for revocation checking can be set to 0 so that each certificate revocation will take effect immediately:
$ pki-server ca-config-set auths.revocationChecking.bufferSize 0
Also by default the CRL is only updated at scheduled times. To update the CRL immediately on each certificate revocation:
$ pki-server ca-config-set ca.crl.MasterCRL.alwaysUpdate true
Finally, restart the server.
To view the published CRL:
$ openssl crl \
-in /var/lib/pki/pki-tomcat/crl/MasterCRL.bin \
-inform DER \
-text \
-noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
Last Update: Jan 22 00:56:35 2022 GMT
Next Update: Jan 22 01:00:00 2022 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:6E:27:EA:CC:40:91:88:35:C7:B0:60:45:B3:2C:6A:74:0B:BF:EE:8A
X509v3 CRL Number:
2
Revoked Certificates:
Serial Number: 07
Revocation Date: Jan 22 00:56:35 2022 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Certificate Hold
Signature Algorithm: sha256WithRSAEncryption
2d:3f:c1:4d:d4:0a:39:a2:bf:ce:bc:12:96:46:b4:c6:c5:8c:
65:fb:fe:ea:9b:b1:a3:df:7b:a4:b0:57:9d:d8:55:a4:39:b4:
5a:17:d7:0a:93:4d:7e:0c:0e:da:87:b1:18:5f:21:96:d4:1e:
c5:3c:ae:07:87:56:e4:30:fc:06:ea:c7:da:61:fd:ea:b6:b1:
fa:24:bf:54:f0:32:ea:1d:65:91:58:4e:83:fe:50:72:4a:cc:
37:4b:61:db:43:c9:9b:74:25:e6:64:93:a4:23:02:ba:b9:64:
4e:99:5f:12:d6:81:d0:bb:52:b7:df:6e:0d:f3:60:98:9a:0f:
86:e0:da:77:f9:5c:8b:d7:68:92:10:54:cf:10:0b:41:01:e5:
b9:aa:44:9f:34:bb:18:36:13:5d:4f:02:38:48:24:b2:c2:72:
60:18:a4:64:65:10:dc:4a:30:ae:71:e6:9b:b4:de:0a:c7:fc:
4f:a1:d7:68:b6:8b:bf:dd:08:24:ab:8e:28:e8:ef:20:ce:24:
83:48:65:4f:c2:f0:04:19:08:fd:5b:30:94:b6:d6:71:30:45:
2d:25:63:5b:e2:7d:bd:f0:c0:2c:1b:f6:da:a6:93:05:21:fd:
78:ba:a5:a3:ed:88:f5:fb:c9:f0:e5:b0:e3:e9:9a:c0:00:e9:
44:b2:4a:83