Learn more about these different git repos.
Other Git URLs
Background use case:
In the case of TLS mutual authentication, it's difficult to manage CRL's. For a particular use case where we wished to use IPA to manage the client certificates and required their use for an nginx-managed service, we configured nginx for TLS server certificate use normally and use "ipa-getcert request" to manage the server certificate - but we also had to add the following client certificate parameters:
ssl_client_certificate /etc/ipa/ca.crt; ssl_verify_client on; ssl_verify_depth 1; ssl_crl /etc/nginx/crl/MasterCRL.pem;
But doing this requires that you periodically retrieve the updated CRL from IPA and reformat it, along the lines of:
cd /etc/nginx/crl curl -f -O -L --cacert /etc/ipa/ca.crt http://ipa-ca.example.com/ipa/crl/MasterCRL.bin openssl crl -inform DER -outform PEM -in MasterCRL.bin -out MasterCRL.pem
Relevant background nginx config info is here: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl
Feature request:
I would propose that certmonger could be requested to monitor CRL files for their expiration and re-retrieve them from their crlDP, managing the format of the resulting file per the use case above. The getcert request to match this certmonger feature might look like:
ipa-getcert track-crl -f /etc/nginx/crl/MasterCRL.pem -C "systemctl reload nginx"
Metadata Update from @lans: - Issue set to the milestone: 0.0 NEEDS_TRIAGE
I would like to vote for this issue, however, I would prefer that it not be tied to IPA specifically and simply download a CRL on a regular basis from a designated address.
I understand that this can simply be done via cron, but it would be nice to have a single point interface for all things certificate related on the system.
cron
Login to comment on this ticket.