#7872 Feature: IPA CRL Default Grace period
Opened 5 years ago by schlitzered. Modified 3 years ago

Request for enhancement

IPA CRL Default Grace period

Issue

Right now by default CRL´s are created without a grace period. this leaves us with a short time where there is no valid CRL available.

i would suggest to set "nextUpdateGracePeriod" to something greater then 0, to allow overlapping CRL´s.

with this we can make sure that the old CRL is still valid, until the new one has been created and distributed.

Actual behavior

CRL with no overlapping time periods

Expected behavior

CRL with overlapping time periods


It's ca.crl.MasterCRL.nextUpdateGracePeriod in /etc/pki/pki-tomcat/ca/CS.cfg. The default value is 0. A value larger than 0 increases the Next Update field by X minutes.

Metadata Update from @cheimes:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8
- Issue tagged with: rfe

5 years ago

I'm marking the bug as performance related, too. Withouth grace period all CRL consumes are forced to download CRL at the same time. A grace period would remove the stampede effect and spread load of CRL retrieval.

Metadata Update from @cheimes:
- Issue tagged with: performance

3 years ago

Login to comment on this ticket.

Metadata