Whatever is done would need to be added to the documentation as a step to be undone when setting a new CRL generator.

A simpler option might be cron + curl to fetch the CRL.

Also, related PKI ticket: https://fedorahosted.org/pki/ticket/1259

Unless the proxy finds the URL by looking into LDAP, so if the CRL master changes it automatically switches.

A cron job would require manual intervention.

Meh. IPA already proxies to the CRL generator and manual intervention is already required to change it, so I don't think it would be too onerous. The converse is having to maintain another proxy service, simple as it may be.

I was thinking the CRL proxy/cache functionality will be built in Dogtag as part of this ticket:
https://fedorahosted.org/pki/ticket/1262

The master URL will be stored in the replica's database, so it knows where to get the master CRL from. The IPA proxy configuration will simply point to the local Dogtag's CRL cache. The IPA's interface to promote a replica will call Dogtag's interface that updates the CRL configuration in the database.

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.