Red Hat Bugzilla – Bug 1462291
CRL autoupdate from CS.cfg
Last modified: 2017-06-29 22:12:04 EDT
Created attachment 1288393 [details]
Description of problem:
I am trying to do CRL autoupdate from CA's CS.cfg bt setting ca.crl.test_crl.autoUpdateInterval=1 but it is not reflection on CA Agent page.
1. I have a new issuing point test_crl added.
2. Config file is attached for CA .
3. I have revoked couple of certs.Now my CRL's are getting generated in every 1 minute like configured but revoked certs status is not getting updated.
Issue 1: I have revoked few certificates now it should goto issuing points and gets updated. certs are getting updated with revocation data in LDAP.But with every CRL generation we don't see revoked certificates getting added.
Workaround 1: Manually update them from CA Agent page.
Issue 2: With the newly created issuing point test_crl, we tried to do a manual update it will not get updated .
Workaround 2: To manually update always we have to set "clear CRL cache" then only it works while it is not needed for masterCRL.
Note: It would be helpful it we get a note about how CS.cfg properties for CRL works and a mapping of their functionality.
We have an existing bug where if we tried to do from console page it gives grace period errors so doing all with console is not possible .
Version-Release number of selected component (if applicable):
rpm -qa pki-ca
Steps to Reproduce:
1.Refer above steps.
I have my responses inline. Thanks Fraser for looking into it.
0. The default CRL refresh interval is 15 minutes. Therefore there
can be up to a 15 minute wait after revoking a cert before it
appears on the CRL.
-- Default CRL update is 240 minutes.I have set it to 2 minutes for my testing.
I have opened one more linked bugzilla were i have mentioned few more observations.
1. Expired certs do not appear on CRLs - only revoked certs.
Even a revoked cert is removed from the CRL after its notAfter
date is passed.
-- That's true only revoked are coming even after you set the option to send expire certs also in CRL.
2. The CertStatusUpdateTask which runs every 10 minutes is responsible for
detecting expired certs and updating their status in the database.
Until this task is run, an expired cert may appear in a search
result that is supposed to exclude expired certs.
-- For me even after 10 days I have an expired cert which never comes up in CRL and OCSp still detecting it as good certificate.
3. The listing in the Web UI of a cert as "valid" shows whether it
was revoked or not, and does not indicate whether it is within
the validity period. Confusing indeed. Arguably a UX bug that
should be fixed.
Geetika, besides the confusing UI signal discussed at (3), and the
caveats of (0) (1) and (2), do you observe any other dubious behaviour?