Kamal Perera wrote: > Dear All, > > > How is the revocation of issuing CA certificates are handled? We are > using OCSP responders for revocation checking of certificates issued by > the Issuing CAs. So do we have to setup another OCSP or CRL distribution > point to let the applications to query for the revocation of issuing CA > certificates?
Both points are encoded in the certificates that IPA issues: [ SNIP ] Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ipa-ca.example.com/ca/ocsp" Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Distribution point: URI: "http://ipa-ca.example.com/ipa/crl/MasterCRL.bin" CRL issuer: Directory Name: "CN=Certificate Authority,O=ipaca" rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project