Setting up CRL Database - dogtagpki/pki GitHub Wiki

Overview

This page describes the process to set up a CRL database in LDAP which can be shared by CA and OCSP.

Creating DS Backend for CRL Database

If necessary, the CRL database can be stored in a separate DS backend.

To create a new DS backend:

$ dsconf \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    ldap://ds.example.com:389 \
    backend create \
    --suffix=dc=crl,dc=pki,dc=example,dc=com \
    --be-name=crl

Adding Base Entry for CRL Database

To add the base entry:

$ ldapadd
    -H ldap://ds.example.com:389 \
    -x \
    -D "cn=Directory Manager" \
    -w Secret.123
dn: dc=crl,dc=pki,dc=example,dc=com
objectClass: domain
dc: crl
aci: (targetattr!="userPassword || aci")
 (version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)

Verify that the CRL database can be accessed anonymously:

$ ldapsearch \
    -H ldap://$HOSTNAME:389 \
    -x \
    -b "dc=crl,dc=pki,dc=example,dc=com"

Enabling CRL Database Replication

If necessary, the CRL database can be replicated into multiple LDAP servers.

To enable replication in the primary database:

$ dsconf \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    ldap://primaryds.example.com:389 \
    replication enable \
    --suffix=dc=crl,dc=pki,dc=example,dc=com \
    --role=supplier \
    --replica-id=1 \
    --bind-dn="cn=Replication Manager,cn=config" \
    --bind-passwd=Secret.123

To enable replication in the secondary database:

$ dsconf \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    ldap://secondaryds.example.com:389 \
    replication enable \
    --suffix=dc=crl,dc=pki,dc=example,dc=com \
    --role=supplier \
    --replica-id=2 \
    --bind-dn="cn=Replication Manager,cn=config" \
    --bind-passwd=Secret.123

Creating CRL Database Replication Agreements

To create the replication agreement in the primary database:

$ dsconf \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    ldap://primaryds.example.com:389 \
    repl-agmt create \
    --suffix=dc=crl,dc=pki,dc=example,dc=com \
    --host=secondaryds.example.com \
    --port=389 \
    --conn-protocol=LDAP \
    --bind-dn="cn=Replication Manager,cn=config" \
    --bind-passwd=Secret.123 \
    --bind-method=SIMPLE \
    primaryds-to-secondaryds

To create the replication agreement in the secondary database:

$ dsconf \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    ldap://secondaryds.example.com:389 \
    repl-agmt create \
    --suffix=dc=crl,dc=pki,dc=example,dc=com \
    --host=primaryds.example.com \
    --port=389 \
    --conn-protocol=LDAP \
    --bind-dn="cn=Replication Manager,cn=config" \
    --bind-passwd=Secret.123 \
    --bind-method=SIMPLE \
    secondaryds-to-primaryds

Initializing CRL Database Replication

To start the initialization:

$ dsconf \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    ldap://primaryds.example.com:389 \
    repl-agmt init \
    --suffix=dc=crl,dc=pki,dc=example,dc=com \
    primaryds-to-secondaryds

Wait for the initialization to complete:

$ dsconf \
    -D "cn=Directory Manager" \
    -w Secret.123 \
    ldap://primaryds.example.com:389 \
    repl-agmt init-status \
    --suffix=dc=crl,dc=pki,dc=example,dc=com \
    primaryds-to-secondaryds
Agreement successfully initialized.
Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️