Currently the CRL is created only on the first master. This means we need to document how to change the configuration to generate and move the CRL on other servers if the master fails, is removed, is renamed etc..
One issue that needs special attention is that we may be storing the CRL URL in the certificates, so changing it can have serious consequences for existing certs.
If you want me to include this in the user doc I'll need some user-level material to work with. I'll need to see how much work is involved to determine if it will even fit into the 6.1 time frame.
May as well document the port that OCSP uses:
http://ipaserver.example.com:9180/ca/ocsp
The Master CRL file is automatically generated by dogtag every 4 hours (controlled by ca.crl.MasterCRL.autoUpdateInterval in /etc/pki-ca/CS.cfg). It is published to the IPA web server when it is generated. The publish location is https://ipaserver.example.com/ipa/crl/MasterCRL.bin
A CRL is generated on each IPA server.
The OCSP responder in each server certificate will vary depending on which CA issued the certificate.
If a customer wants to use a DNS CNAME to point OCSP clients to then on each IPA server they will need to edit /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg and change the value of policyset.serverCertSet.9.default.params.crlDistPointsPointName_0 to point to the same host name.
This change needs to be done post-install and the CA restarted (service pki-cad restart)
Metadata Update from @simo: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.1 - 2011/08 (Final)
Log in to comment on this ticket.