| Summary: | add options to enable/disable cert or crl publishing. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> |
| Component: | pki-core | Assignee: | Ade Lee <alee> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | medium | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | medium | ||
| Version: | 7.2 | CC: | alee, nkinder, ssidhaye |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.4.0-1.el7 | Doc Type: | Enhancement |
| Doc Text: |
Certificate System now supports enabling and disabling certificate and CRL publishing
Prior to this update, if publishing was enabled in a certificate authority (CA), Certificate System automatically enabled both certificate revocation list (CRL) and certificate publishing. Consequently, on servers that did not have certificate publishing enabled, error messages were logged. Certificate System has been enhanced, and now supports enabling and disabling certificate and CRL publishing independently in the `/var/lib/pki/<instance>/ca/conf/CS.cfg` file.
To enable or disable both certificate and CRL publishing, set:
ca.publish.enable = True|False
To enable only CRL publishing, set:
ca.publish.enable = True
ca.publish.cert.enable = False
To enable only certificate publishing, set:
ca.publish.enable = True
ca.publish.crl.enable = False
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 22:46:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Thorsten Scherf
2016-04-08 06:59:00 UTC
commit f0551f75618cd30de3efc3154f37a5f53504896c Author: Ade Lee <​alee> Date: Wed May 18 15:33:36 2016 -0400
Add parameters to disable cert or crl publishing
Right now, if publishing is enabled, both CRLs and Cert publishing is enabled. This causes a bunch of spurious error messages on IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired or simply misconfigured, we provide options to explicitly disable either cert or crl publishing.
Specifically:
to enable/disable both cert and crl publishing: ca.publish.enable = True/False?
This is the legacy behavior.
to enable CRL publishing only: ca.publish.enable = True ca.publish.cert.enable = False
to enable cert publishing only: ca.publish.enable = True ca.publish.crl.enable = False
Ticket 2275
Build used for verification: [root@auto-hv-02-guest09 certdb]# rpm -qi pki-base Name : pki-base Version : 10.4.1 Release : 3.el7 Architecture: noarch Install Date: Friday 05 May 2017 01:31:47 AM EDT Group : System Environment/Base Size : 2086078 License : GPLv2 Signature : RSA/SHA256, Tuesday 02 May 2017 04:38:09 PM EDT, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.4.1-3.el7.src.rpm Build Date : Tuesday 02 May 2017 03:15:26 PM EDT Build Host : ppc-015.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Framework Enable crl publishing only ca.publish.enable = True ca.publish.cert.enable = False After setting the above flags crl publishing works as expected Enable cert publishing only ca.publish.enable = True ca.publish.crl.enable = False After setting above flags cert publishing is working as expected as well. When ca.publish.enable = False both cert and crl publishing is disabled, which is the legacy behaviour. Doc text looks good. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |