Publishing CRL to LDAP Server - dogtagpki/pki GitHub Wiki
This page describes the process to configure CA to publish CRL to an LDAP server.
To configure OCSP responder to get the CRL from an LDAP server, see:
Prepare a CRL publishing subtree:
$ ldapadd \
-H ldap://$HOSTNAME:389 \
-x \
-D "cn=Directory Manager" \
-w Secret.123
dn: dc=crl,dc=pki,dc=example,dc=com
objectClass: domain
dc: crl
The CRL publishing configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
To configure the LDAP connection:
$ pki-server ca-config-set ca.publish.ldappublish.enable true $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.host $HOSTNAME $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.port 389 $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.secureConn false $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.authtype BasicAuth $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindDN "cn=Directory Manager" $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt internaldb $ pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.clientCertNickname ""
To configure LDAP-based CRL publisher:
$ pki-server ca-config-set ca.publish.publisher.instance.LdapCrlPublisher.crlAttr "certificateRevocationList;binary" $ pki-server ca-config-set ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass pkiCA $ pki-server ca-config-set ca.publish.publisher.instance.LdapCrlPublisher.pluginName LdapCrlPublisher
To configure CRL mapper:
$ pki-server ca-config-set ca.publish.mapper.instance.LdapCrlMap.createCAEntry true $ pki-server ca-config-set ca.publish.mapper.instance.LdapCrlMap.dnPattern "cn=\$subj.cn,dc=crl,dc=pki,dc=example,dc=com" $ pki-server ca-config-set ca.publish.mapper.instance.LdapCrlMap.pluginName LdapCaSimpleMap
To configure CRL publishing rule:
$ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.enable true $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.mapper LdapCrlMap $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.pluginName Rule $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.predicate "" $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.publisher LdapCrlPublisher $ pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.type crl
To enable CRL publishing:
$ pki-server ca-config-set ca.publish.enable true
To simplify testing, the buffer size for revocation checking can be set to 0 so that each certificate revocation will take effect immediately:
$ pki-server ca-config-set auths.revocationChecking.bufferSize 0
Also by default the CRL is only updated at scheduled times. To update the CRL immediately on each certificate revocation:
$ pki-server ca-config-set ca.crl.MasterCRL.alwaysUpdate true
Finally, restart the server.
To retrieve the published CRL:
$ ldapsearch \
-H ldap://$HOSTNAME:389 \
-x \
-D "cn=Directory Manager" \
-w Secret.123 \
-b "cn=crl,dc=example,dc=com" \
-o ldif_wrap=no \
-t \
"(objectClass=pkiCA)"
dn: cn=CA Signing Certificate,dc=crl,dc=pki,dc=example,dc=com
cn: CA Signing Certificate
sn: CA Signing Certificate
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: pkiCA
certificateRevocationList;binary:< file://<path>
To view the published CRL:
$ openssl crl \
-in <path> \
-inform DER \
-text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = EXAMPLE, OU = pki-tomcat, CN = CA Signing Certificate
Last Update: Jan 22 00:56:35 2022 GMT
Next Update: Jan 22 01:00:00 2022 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:6E:27:EA:CC:40:91:88:35:C7:B0:60:45:B3:2C:6A:74:0B:BF:EE:8A
X509v3 CRL Number:
2
Revoked Certificates:
Serial Number: 07
Revocation Date: Jan 22 00:56:35 2022 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Certificate Hold
Signature Algorithm: sha256WithRSAEncryption
2d:3f:c1:4d:d4:0a:39:a2:bf:ce:bc:12:96:46:b4:c6:c5:8c:
65:fb:fe:ea:9b:b1:a3:df:7b:a4:b0:57:9d:d8:55:a4:39:b4:
5a:17:d7:0a:93:4d:7e:0c:0e:da:87:b1:18:5f:21:96:d4:1e:
c5:3c:ae:07:87:56:e4:30:fc:06:ea:c7:da:61:fd:ea:b6:b1:
fa:24:bf:54:f0:32:ea:1d:65:91:58:4e:83:fe:50:72:4a:cc:
37:4b:61:db:43:c9:9b:74:25:e6:64:93:a4:23:02:ba:b9:64:
4e:99:5f:12:d6:81:d0:bb:52:b7:df:6e:0d:f3:60:98:9a:0f:
86:e0:da:77:f9:5c:8b:d7:68:92:10:54:cf:10:0b:41:01:e5:
b9:aa:44:9f:34:bb:18:36:13:5d:4f:02:38:48:24:b2:c2:72:
60:18:a4:64:65:10:dc:4a:30:ae:71:e6:9b:b4:de:0a:c7:fc:
4f:a1:d7:68:b6:8b:bf:dd:08:24:ab:8e:28:e8:ef:20:ce:24:
83:48:65:4f:c2:f0:04:19:08:fd:5b:30:94:b6:d6:71:30:45:
2d:25:63:5b:e2:7d:bd:f0:c0:2c:1b:f6:da:a6:93:05:21:fd:
78:ba:a5:a3:ed:88:f5:fb:c9:f0:e5:b0:e3:e9:9a:c0:00:e9:
44:b2:4a:83