This bug is created as a clone of upstream ticket:
Dogtag has only one switch -- ca.publish.enable for both CRLs and certs.
If cert publishing is not wanted and not set up (rules etc)., then errors can be found in the system log about publishing errors for each cert.
We need two new config parameters - ca.publishing.cert.enable and ca.publishing.crl.enable which default to True. The old ca.publishing.enable parameter will still exist.
If either is set to false, though, we would expect publishing not to be attempted. In fact, it would be better if the threads for those publishers were not even started.
commit f0551f75618cd30de3efc3154f37a5f53504896c Author: Ade Lee <email@example.com> Date: Wed May 18 15:33:36 2016 -0400
Add parameters to disable cert or crl publishing
Right now, if publishing is enabled, both CRLs and Cert publishing is enabled. This causes a bunch of spurious error messages on IPA servers as cert publishing is not configured.
As it is impossible to determine if cert publishing is not desired or simply misconfigured, we provide options to explicitly disable either cert or crl publishing.
to enable/disable both cert and crl publishing: ca.publish.enable = True/False?
This is the legacy behavior.
to enable CRL publishing only: ca.publish.enable = True ca.publish.cert.enable = False
to enable cert publishing only: ca.publish.enable = True ca.publish.crl.enable = False
Build used for verification:
[root@auto-hv-02-guest09 certdb]# rpm -qi pki-base
Name : pki-base
Version : 10.4.1
Release : 3.el7
Install Date: Friday 05 May 2017 01:31:47 AM EDT
Group : System Environment/Base
Size : 2086078
License : GPLv2
Signature : RSA/SHA256, Tuesday 02 May 2017 04:38:09 PM EDT, Key ID 199e2f91fd431d51
Source RPM : pki-core-10.4.1-3.el7.src.rpm
Build Date : Tuesday 02 May 2017 03:15:26 PM EDT
Build Host : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor : Red Hat, Inc.
URL : http://pki.fedoraproject.org/
Summary : Certificate System - PKI Framework
Enable crl publishing only
ca.publish.enable = True
ca.publish.cert.enable = False
After setting the above flags crl publishing works as expected
Enable cert publishing only
ca.publish.enable = True
ca.publish.crl.enable = False
After setting above flags cert publishing is working as expected as well.
When ca.publish.enable = False both cert and crl publishing is disabled, which is the legacy behaviour.
Doc text looks good.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.