wiki:CRL
Last modified 4 years ago Last modified on 08/09/10 19:23:32

Certificate Revocation List & Online Certificate Status Protocol

CRL(Certificate Revocation List) is generated by Candlepin's Task(CertificateRevocationListTask) on a regular basis for all the entitlements which have been revoked.

  • The location where the crl is generated can be configured by specifying the property, by default the file is in /var/lib/candlepin/candlepin-crl.crl
    candlepin.crl.file=/etc/candlepin/candlepin-crl.crl
    
  • To change the frequency
    pinsetter.org.fedoraproject.candlepin.pinsetter.tasks.CertificateRevocationListTask.schedule = 0 5 * * * ?
    

in the candlepin.conf file.

You can tweak the frequency at which the crl file is generated by changing DEFAULT_SCHEDULE in CertificateRevocationListTask.

Configuring crl with ocspd

To verify the integrity of the CRL generated as well as use it in practice using ocspd, please follow the following steps.

  • Install ocspd. On fedora use the following command to install ocspd
      sudo yum install ocspd -y
    
  • Configure ocspd. A sample configuration file has been attached with this page. You may have to customize to fit your needs. After doing so, please move the file to /etc/ocspd/ocspd.conf
  • Start your ocspd daemon using the following command
       ocspd -v -d 9090 -c /etc/ocspd/ocspd.conf
    
    ocspd logs in /var/log/messages. When you try the above command, you should see something similar to the contents of log.txt file.
  • Query the status of a serial using the following command,
      openssl ocsp -issuer /etc/candlepin/certs/candlepin-ca.crt -serial 0x01 -host localhost:9090 -CAfile /etc/candlepin/certs/candlepin-ca.crt
    

When you query for some serial which is valid and not present in the crl list, you should see something similar to the text below.

Response verify OK
0x01: good
This Update: Jul  7 18:22:30 2010 GMT
Next Update: Jul  7 18:41:48 2010 GMT

When you query for a serial which is not valid/revoked.(present in crl file),

Response verify OK
0x31: revoked
This Update: Jul  7 18:22:30 2010 GMT
Next Update: Jul  7 18:42:03 2010 GMT
Reason: (UNKNOWN)
Revocation Time: Jul  7 00:00:00 2011 GMT

Reference

Attachments