[Freeipa-devel] [PATCH] 340 Add OCSL and CRL URIs to certificates

Martin Kosek mkosek at redhat.com
Thu Dec 6 15:45:31 UTC 2012


Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.

Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.

The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.

https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431

----

This patch originates in Rob's WIP OCSP patch, which I had to rewrite to make
things working as we want to :-)

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-340-add-ocsl-and-crl-uris-to-certificates.patch
Type: text/x-patch
Size: 30477 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121206/e2c1778d/attachment.bin>


More information about the Freeipa-devel mailing list