#43 RFE: Monitor/maintain local CRL copies
Opened 3 years ago by lans. Modified a year ago

Background use case:

In the case of TLS mutual authentication, it's difficult to manage CRL's. For a particular use case where we wished to use IPA to manage the client certificates and required their use for an nginx-managed service, we configured nginx for TLS server certificate use normally and use "ipa-getcert request" to manage the server certificate - but we also had to add the following client certificate parameters:

ssl_client_certificate /etc/ipa/ca.crt;
ssl_verify_client on;
ssl_verify_depth 1;
ssl_crl /etc/nginx/crl/MasterCRL.pem;

But doing this requires that you periodically retrieve the updated CRL from IPA and reformat it, along the lines of:

cd /etc/nginx/crl
curl -f -O -L --cacert /etc/ipa/ca.crt http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
openssl crl -inform DER -outform PEM -in MasterCRL.bin -out MasterCRL.pem

Relevant background nginx config info is here:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl

Feature request:

I would propose that certmonger could be requested to monitor CRL files for their expiration and re-retrieve them from their crlDP, managing the format of the resulting file per the use case above. The getcert request to match this certmonger feature might look like:

ipa-getcert track-crl -f /etc/nginx/crl/MasterCRL.pem -C "systemctl reload nginx"


Metadata Update from @lans:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

2 years ago

I would like to vote for this issue, however, I would prefer that it not be tied to IPA specifically and simply download a CRL on a regular basis from a designated address.

I understand that this can simply be done via cron, but it would be nice to have a single point interface for all things certificate related on the system.

Login to comment on this ticket.

Metadata