Natxo Asenjo wrote: > On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: >> But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I >> still get the old crl dated june 28th last year. >> >> Should I modify ipa-pki-proxy.conf as well on the CRL generator host >> to point to the /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL >> as well? > > This morning the /ipa/crl dir still had the lists of 28th June 2013 in > the crl generator host. In my test environment running centos 7 the > files get updated, so I think a process is nut running. But which one? > > Going to the /ca/ee/ca/getCRL?op=getCRL& > crlIssuingPoint=MasterCRL gives me the up to date CRL. > > -- > Groeten, > natxo >
To enable CRL generation you need these set: ca.crl.MasterCRL.enableCRLCache=false ca.crl.MasterCRL.enableCRLUpdates=false Given that the CA seems to be generating a new CRL that you can fetch directly I'll assume those are set. The CA also needs configuration on how/where to publish a file-based CRL. The configuration should look like: ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9 ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project