Red Hat Bugzilla – Bug 1478394
Sub-CA CRL not contained in /ipa/crl/MasterCRL.bin
Last modified: 2017-08-31 02:15:57 EDT
Description of problem:
Revoked certificates of the Sub-CA do not show up in the http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin
Version-Release number of selected component (if applicable):
VERSION: 4.4.0, API_VERSION: 2.213
Setup sub-ca as described in:
Steps to Reproduce:
1. Revoke issued certificate with sub-ca (Web UI)
2. wget http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin
3. openssl crl -inform der -in MasterCRL.bin -noout -text
Revoked certificate does not show up.
Revoked certificate should show up.
CRLs are updated periodically, every 60 minutes IIRC. Did you wait between step 1 and step 2?
While trying to figure out when exactly i revoked the certificate I fond the following in /var/log/pki/pki-tomcat/ca/system
0.Thread-34 - [03/Aug/2017:22:54:56 CEST]   Publishing: Could not publish certificate serial number 0x1e. Error Failed to publish using rule: No rules enabled
0.Thread-35 - [04/Aug/2017:12:48:49 CEST]   Publishing: Could not publish certificate serial number 0x1f. Error Failed to publish using rule: No rules enabled
0.Thread-36 - [04/Aug/2017:13:38:42 CEST]   Publishing: Could not publish certificate serial number 0x20. Error Failed to publish using rule: No rules enabled
0.Thread-37 - [04/Aug/2017:14:13:49 CEST]   Publishing: No rule can be found for unpublishing: certs request 38
0.Thread-37 - [04/Aug/2017:14:13:49 CEST]   Publishing: Could not unpublish certificate serial number 0x1e. Error No Rule instance is matched for request 38.
I have no idea where I can/should add such a (missing) rule but I guess this is causing the problem.
(In reply to Rob Crittenden from comment #2)
> CRLs are updated periodically, every 60 minutes IIRC. Did you wait between
> step 1 and step 2?
I double checked it right now (approximately two hours later) with still the same result.
Fraser, is specific configuration needed in dogtag to enable CRLs for sub-CAs?
There is no support yet for Lightweight CA CRLs.
See upstream ticket https://pagure.io/dogtagpki/issue/1627.
OCSP works perfectly for Lightweight CAs.
Michael, how badly do you need CRL for your use case, instead of OCSP?
I'd need to get a Certificate Revocation List in X.509 CRL format to manually add the CRL to a pfSense box which I use as a VPN gateway. The reason for that manual step is that it's not possible to configure the OpenVPN Server in the 2.3.4-RELEASE of pfSense to force OCSP checks AFAIK.
(In reply to Fraser Tweedale from comment #5)
> There is no support yet for Lightweight CA CRLs.
> See upstream ticket https://pagure.io/dogtagpki/issue/1627.
> OCSP works perfectly for Lightweight CAs.
My cert profile is basically a copy of caIPAserviceCert as I followed the steps described in the blog entry https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
Do I need to modify crlDistPoints entries of that profile as the Sub-CA doesn't support the CRL generation but the respective URL is still present?
Michael, yes, you might want to just remove the CRLDP extension on
the modified profile.