Hello everyone,
I want to configure CRL (certificate revocation list) for EST protocol in
openxpki 3.x server. I did it for SCEP protocol in openxpki 2.x. Can you please
help me with the required steps for EST (e.g. Generating CRL information,
Configuring CRL accessibility etc.)
For your reference, I'm attaching the used steps for SCEP.
Thanks & Regards,
Chandra
Chandramauli De
QA, Fleet management
STL, ISS
[http://www.lexmark.com/common/images/email/lexmark-logo-email-signature.png]<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.lexmark.com%2F&data=04%7C01%7Cheather.henley%40lexmark.com%7Cae5eb35646f344334e4c08d8ee023b6e%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637521040645785536%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sr%2Bw4EEmMZPexRDBAYLsirn0QDIupP27eMq9c708gB8%3D&reserved=0>
www.lexmark.com
[cid:[email protected]]
Generating CRL information
------------------------------------
Note: If your server is reachable using the FQDN, then use the DNS of the
server instead of its IP address.
1 Stop the OpenXPKI service using Openxpkictl stop.
2 In nano /etc/openxpki/config.d/realm/ca-one/publishing.yaml, update the
connectors: cdp section to
the following:
class: Connector::Builtin::File::Path
LOCATION: /var/www/openxpki/CertEnroll/
file: "[% ARGS.0 %].crl"
content: "[% pem %]"
a In nano /etc/openxpki/config.d/realm/ca-one/profile/default.yaml, update the
following:
⢠crl_distribution_points: section
critical: 0
uri:
- http://FQDN of the server/CertEnroll/[% ISSUER.CN.0 %].crl
- ldap://localhost/[% ISSUER.DN %]
⢠authority_info_access: section
critical: 0
ca_issuers: http://FQDN of the server/CertEnroll/MYOPENXPKI.crt
ocsp: http://ocsp.openxpki.org/
Change the IP address and CA certificate name according to your CA server.
b In nano /etc/openxpki/config.d/realm/ca-one/crl/default.yaml, do the
following:
⢠If necessary, update nextupdate and renewal.
⢠Add ca_issuers to the following section:
extensions:
authority_info_access:
critical: 0
# ca_issuers and ocsp can be scalar or list
ca_issuers: http://FQDN of the server/CertEnroll/MYOPENXPKI.crt
#ocsp: http://ocsp.openxpki.org/
Change the IP address and CA certificate name according to your CA server.
Managing certificates 99
3 Start the OpenXPKI service using Openxpkictl start.
Configuring CRL accessibility
-------------------------------------
1 Stop the Apache service using service apache2 stop.
2 Create a CertEnroll directory for crl in the /var/www/openxpki/ directory.
3 Set openxpki as the owner of this directory, and then configure the
permissions to let Apache read and
execute, and other services to read only.
chown openxpki /var/www/openxpki/CertEnroll
chmod 755 /var/www/openxpki/CertEnroll
4 Add a reference to the Apache alias.conf file using nano
/etc/apache2/modsenabled/
alias.conf.
5 After the <Directory "/usr/share/apache2/icons"> section, add the following:
Alias /CertEnroll/ "/var/www/openxpki/CertEnroll/"
<Directory "/var/www/openxpki/CertEnroll">
Options FollowSymlinks
AllowOverride None
Require all granted
</Directory>
6 Add a reference in the apache2.conf file using nano /etc/apache2/apache2.conf.
7 Add the following in the Apache2 HTTPD server section:
<Directory /var/www/openxpki/CertEnroll>
Options FollowSymlinks
AllowOverride None
Allow from all
</Directory>
8 Start the Apache service using service apache2 start.
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
