IPA CRL Default Grace period
Right now by default CRL´s are created without a grace period. this leaves us with a short time where there is no valid CRL available.
i would suggest to set "nextUpdateGracePeriod" to something greater then 0, to allow overlapping CRL´s.
with this we can make sure that the old CRL is still valid, until the new one has been created and distributed.
CRL with no overlapping time periods
CRL with overlapping time periods
It's ca.crl.MasterCRL.nextUpdateGracePeriod in /etc/pki/pki-tomcat/ca/CS.cfg. The default value is 0. A value larger than 0 increases the Next Update field by X minutes.
Metadata Update from @cheimes:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8
- Issue tagged with: rfe
to comment on this ticket.