Certificate Revocation List & Online Certificate Status Protocol
CRL(Certificate Revocation List) is generated by Candlepin's Task(CertificateRevocationListTask) on a regular basis for all the entitlements which have been revoked.
- The location where the crl is generated can be configured by specifying the property, by default the file is in /var/lib/candlepin/candlepin-crl.crl
- To change the frequency
pinsetter.org.fedoraproject.candlepin.pinsetter.tasks.CertificateRevocationListTask.schedule = 0 5 * * * ?
in the candlepin.conf file.
You can tweak the frequency at which the crl file is generated by changing DEFAULT_SCHEDULE in CertificateRevocationListTask.
Configuring crl with ocspd
To verify the integrity of the CRL generated as well as use it in practice using ocspd, please follow the following steps.
- Install ocspd. On fedora use the following command to install ocspd
sudo yum install ocspd -y
- Configure ocspd. A sample configuration file has been attached with this page. You may have to customize to fit your needs. After doing so, please move the file to /etc/ocspd/ocspd.conf
- Start your ocspd daemon using the following command
ocspd -v -d 9090 -c /etc/ocspd/ocspd.confocspd logs in /var/log/messages. When you try the above command, you should see something similar to the contents of log.txt file.
- Query the status of a serial using the following command,
openssl ocsp -issuer /etc/candlepin/certs/candlepin-ca.crt -serial 0x01 -host localhost:9090 -CAfile /etc/candlepin/certs/candlepin-ca.crt
When you query for some serial which is valid and not present in the crl list, you should see something similar to the text below.Response verify OK 0x01: good This Update: Jul 7 18:22:30 2010 GMT Next Update: Jul 7 18:41:48 2010 GMT
When you query for a serial which is not valid/revoked.(present in crl file),Response verify OK 0x31: revoked This Update: Jul 7 18:22:30 2010 GMT Next Update: Jul 7 18:42:03 2010 GMT Reason: (UNKNOWN) Revocation Time: Jul 7 00:00:00 2011 GMT