Kamal Perera wrote:
> Dear All,
> How is the revocation of issuing CA certificates are handled? We are
> using OCSP responders for revocation checking of certificates issued by
> the Issuing CAs. So do we have to setup another OCSP or CRL distribution
> point to let the applications to query for the revocation of issuing CA
> certificates?

Both points are encoded in the certificates that IPA issues:

[ SNIP ]

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
                URI: "http://ipa-ca.example.com/ca/ocsp";

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

            Name: CRL Distribution Points
            Distribution point:
                URI: "http://ipa-ca.example.com/ipa/crl/MasterCRL.bin";
                CRL issuer:
                    Directory Name: "CN=Certificate Authority,O=ipaca"


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to