Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 23. Generating CRL on the IdM CA server
If your IdM deployment uses an embedded certificate authority (CA), you may need to move the generating of the Certificate Revocation List (CRL) from one Identity Management (IdM) server to another. It can be necessary, for example, when you want to migrate the server to another system.
Only configure one server to generate the CRL. The IdM server that performs the CRL publisher role is usually the same server that performs the CA renewal server role, but this is not mandatory. Before you decommission the CRL publisher server, select and configure another server to perform the CRL publisher server role.
23.1. Stopping CRL generation on an IdM server
Use the ipa-crlgen-manage command to stop generating the Certificate Revocation List (CRL) on the IdM CRL publisher server. You must disable CRL generation on the current server before enabling it on a new server, because only one server should generate the CRL at a time.
Prerequisites
- You must be logged in as root.
Procedure
Check if your server is generating the CRL:
[root@server ~]# ipa-crlgen-manage statusCRL generation: enabled Last CRL update: 2019-10-31 12:00:00 Last CRL Number: 6 The ipa-crlgen-manage command was successfulStop generating the CRL on the server:
[root@server ~]# ipa-crlgen-manage disableStopping pki-tomcatd Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg Starting pki-tomcatd Editing /etc/httpd/conf.d/ipa-pki-proxy.conf Restarting httpd CRL generation disabled on the local host. Please make sure to configure CRL generation on another master with ipa-crlgen-manage enable. The ipa-crlgen-manage command was successfulCheck if the server stopped generating CRL:
[root@server ~]# ipa-crlgen-manage statusThe server stopped generating the CRL. The next step is to enable CRL generation on the IdM replica.
23.2. Starting CRL generation on an IdM replica server
You can start generating the Certificate Revocation List (CRL) on an IdM CA server with the ipa-crlgen-manage command.
Prerequisites
- The RHEL system must be an IdM Certificate Authority server.
- You must be logged in as root.
Procedure
Start generating the CRL:
[root@replica1 ~]# ipa-crlgen-manage enableStopping pki-tomcatd Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg Starting pki-tomcatd Editing /etc/httpd/conf.d/ipa-pki-proxy.conf Restarting httpd Forcing CRL update CRL generation enabled on the local host. Please make sure to have only a single CRL generation master. The ipa-crlgen-manage command was successfulCheck if the CRL is generated:
[root@replica1 ~]# ipa-crlgen-manage statusCRL generation: enabled Last CRL update: 2019-10-31 12:10:00 Last CRL Number: 7 The ipa-crlgen-manage command was successful
23.3. Changing the CRL update interval
The Certificate Revocation List (CRL) file is automatically generated by the Identity Management Certificate Authority (Idm CA) every four hours by default. You can change this interval with the following procedure.
Procedure
Stop the CRL generation server:
# systemctl stop pki-tomcatd@pki-tomcat.serviceOpen the
/var/lib/pki/pki-tomcat/conf/ca/CS.cfgfile, and change theca.crl.MasterCRL.autoUpdateIntervalvalue to the new interval setting. For example, to generate the CRL every 60 minutes:ca.crl.MasterCRL.autoUpdateInterval=60NoteIf you update the
ca.crl.MasterCRL.autoUpdateIntervalparameter, the change will become effective after the next already scheduled CRL update.Start the CRL generation server:
# systemctl start pki-tomcatd@pki-tomcat.service
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}