IPA CRL Default Grace period
Right now by default CRL´s are created without a grace period. this leaves us with a short time where there is no valid CRL available.
i would suggest to set "nextUpdateGracePeriod" to something greater then 0, to allow overlapping CRL´s.
with this we can make sure that the old CRL is still valid, until the new one has been created and distributed.
CRL with no overlapping time periods
CRL with overlapping time periods
It's ca.crl.MasterCRL.nextUpdateGracePeriod in /etc/pki/pki-tomcat/ca/CS.cfg. The default value is 0. A value larger than 0 increases the Next Update field by X minutes.
ca.crl.MasterCRL.nextUpdateGracePeriod
/etc/pki/pki-tomcat/ca/CS.cfg
Next Update
Metadata Update from @cheimes: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.8 - Issue tagged with: rfe
I'm marking the bug as performance related, too. Withouth grace period all CRL consumes are forced to download CRL at the same time. A grace period would remove the stampede effect and spread load of CRL retrieval.
Metadata Update from @cheimes: - Issue tagged with: performance
Login to comment on this ticket.