#7872 Feature: IPA CRL Default Grace period
Opened 5 months ago by schlitzered. Modified 5 months ago

Request for enhancement

IPA CRL Default Grace period


Right now by default CRL´s are created without a grace period. this leaves us with a short time where there is no valid CRL available.

i would suggest to set "nextUpdateGracePeriod" to something greater then 0, to allow overlapping CRL´s.

with this we can make sure that the old CRL is still valid, until the new one has been created and distributed.

Actual behavior

CRL with no overlapping time periods

Expected behavior

CRL with overlapping time periods

It's ca.crl.MasterCRL.nextUpdateGracePeriod in /etc/pki/pki-tomcat/ca/CS.cfg. The default value is 0. A value larger than 0 increases the Next Update field by X minutes.

Metadata Update from @cheimes:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8
- Issue tagged with: rfe

5 months ago

Login to comment on this ticket.