Background use case:
In the case of TLS mutual authentication, it's difficult to manage CRL's. For a particular use case where we wished to use IPA to manage the client certificates and required their use for an nginx-managed service, we configured nginx for TLS server certificate use normally and use "ipa-getcert request" to manage the server certificate - but we also had to add the following client certificate parameters:
But doing this requires that you periodically retrieve the updated CRL from IPA and reformat it, along the lines of:
curl -f -O -L --cacert /etc/ipa/ca.crt http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
openssl crl -inform DER -outform PEM -in MasterCRL.bin -out MasterCRL.pem
Relevant background nginx config info is here:
I would propose that certmonger could be requested to monitor CRL files for their expiration and re-retrieve them from their crlDP, managing the format of the resulting file per the use case above. The getcert request to match this certmonger feature might look like:
ipa-getcert track-crl -f /etc/nginx/crl/MasterCRL.pem -C "systemctl reload nginx"
Metadata Update from @lans:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
I would like to vote for this issue, however, I would prefer that it not be tied to IPA specifically and simply download a CRL on a regular basis from a designated address.
I understand that this can simply be done via cron, but it would be nice to have a single point interface for all things certificate related on the system.
to comment on this ticket.