Bug 1462291 - CRL autoupdate from CS.cfg [NEEDINFO]
CRL autoupdate from CS.cfg
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Jack Magne
Asha Akkiangady
: GSSTriaged
Depends On:
  Show dependency treegraph
Reported: 2017-06-16 11:49 EDT by Geetika Kapoor
Modified: 2017-10-25 13:49 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mharmsen: needinfo? (jmagne)

Attachments (Terms of Use)
CS.cfg (91.30 KB, text/plain)
2017-06-16 11:49 EDT, Geetika Kapoor
no flags Details

  None (edit)
Description Geetika Kapoor 2017-06-16 11:49:46 EDT
Created attachment 1288393 [details]

Description of problem:

I am trying to do CRL autoupdate from CA's CS.cfg bt setting ca.crl.test_crl.autoUpdateInterval=1  but it is not reflection on CA Agent page.


1. I have a new issuing point test_crl added.
2. Config file is attached for CA .
3. I have revoked couple of certs.Now my CRL's are getting generated in every 1 minute like configured but revoked certs status is not getting updated.

Issue 1: I have revoked few certificates now it should goto issuing points and gets updated. certs are getting updated with revocation data in LDAP.But with every CRL generation we don't see revoked certificates getting added.

Workaround 1: Manually update them from CA Agent page.

Issue 2: With the newly created issuing point test_crl, we tried to do a manual update it will not get updated .

Workaround 2: To manually update always we have to set "clear CRL cache" then only it works while it is not needed for masterCRL.

Note: It would be helpful it we get a note about how CS.cfg properties for CRL works and a mapping of their functionality.

We have an existing bug where if we tried to do from console page it gives grace period errors so doing all with console is not possible .


Version-Release number of selected component (if applicable):

rpm -qa pki-ca

How reproducible:

Steps to Reproduce:
1.Refer above steps.

Actual results:

Expected results:

Additional info:
Comment 2 Geetika Kapoor 2017-06-27 04:39:02 EDT
I have my responses inline. Thanks Fraser for looking into it.

0. The default CRL refresh interval is 15 minutes.  Therefore there
   can be up to a 15 minute wait after revoking a cert before it
   appears on the CRL.
-- Default CRL update is 240 minutes.I have set it to 2 minutes for my testing.
I have opened one more linked bugzilla were i have mentioned few more observations.


1. Expired certs do not appear on CRLs - only revoked certs.
   Even a revoked cert is removed from the CRL after its notAfter
   date is passed.

-- That's true only revoked are coming even after you set the option to send expire certs also in CRL.

2. The CertStatusUpdateTask which runs every 10 minutes is responsible for
   detecting expired certs and updating their status in the database.
   Until this task is run, an expired cert may appear in a search
   result that is supposed to exclude expired certs.

-- For me even after 10 days I have an expired cert which never comes up in CRL and OCSp still detecting it as good certificate.

3. The listing in the Web UI of a cert as "valid" shows whether it
   was revoked or not, and does not indicate whether it is within
   the validity period.  Confusing indeed.  Arguably a UX bug that
   should be fixed.

Geetika, besides the confusing UI signal discussed at (3), and the
caveats of (0) (1) and (2), do you observe any other dubious behaviour?
Comment 5 Matthew Harmsen 2017-10-25 13:49:25 EDT
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6

Note You need to log in before you can comment on or make changes to this bug.