Product SiteDocumentation Site

16.4. Configuring CRLs and OCSP Responders

A certificate is created with a validity period, meaning it has a point where it expires and is no longer valid. The expiration date is contained in the certificate itself, so a client always checks the validity period in the certificate to see if the certificate is still valid.
However, a certificate can also be revoked before its validity period is up, but this information is not contained in the certificate. A CA publishes a certificate revocation list (CRL), which contains a complete list of every certificate that was issued by that CA and subsequently revoked. A client can check the CRL to see if a certificate within its validity period has been revoked and is, therefore, invalid.
Validity checks are performed using the online certificate status protocol (OCSP), which sends a request to an OCSP responder. Each CA integrated with the FreeIPA server uses an internal OCSP responder, and any client which runs a validity check can check the FreeIPA CA's internal OCSP responder.
Every certificate issued by the FreeIPA CA puts its OCSP responder service URL in the certificate. For example:
http://ipaserver.example.com:9180/ca/ocsp

NOTE

For the FreeIPA OCSP responder to be available, port 9180 needs to be open in the firewall.

16.4.1. Using an OSCP Responder with SELinux

Clients can use the FreeIPA OCSP responder to check certificate validity or to retrieve CRLs. A client can be a number of different service, but is most frequently an Apache server and the mod_revocator module (which handles CRL and OCSP operations).
The FreeIPA CA has an OCSP responder listening over port 9180, which is also the port available for CRL retrieval. This port is protected by default SELinux policies to prevent unauthorized access. If an Apache server attempts to connect to the OCSP port, then it may be denied access by SELinux.
The Apache server, on the local machine, must be granted access to port 9180 for it to be able to connect to the FreeIPA OCSP responder. There are two ways to work around this by changing the SELinux policies:
  • Edit the SELinux policy to allow Apache servers using the mod_revocator module to connect to port 9180:
    semodule -i revoker.pp
  • Generate a new SELinux policy to allow access based on the SELinux error logs for the mod_revocator connection attempt.
    audit2allow -a -M revoker

16.4.2. Changing the CRL Update Interval

The CRL file is automatically generated by the Dogtag Certificate System CA every four hours. This interval can be changed by editing the Dogtag Certificate System configuration.
  1. Stop the CA server.
    service pki-ca stop
  2. Open the CS.cfg file.
    vim /etc/pki-ca/CS.cfg
  3. Change the ca.crl.MasterCRL.autoUpdateInterval to the new interval setting.
  4. Restart the CA server.
    service pki-ca start

16.4.3. Changing the OCSP Responder Location

Each FreeIPA server generates its own CRL. Likewise, each FreeIPA server uses its own OCSP responder, with its own OCSP responder URL in the certificates it issues.
A DNS CNAME can be used by FreeIPA clients, and then from there be redirected to the appropriate FreeIPA server OCSP responder.
  1. Open the certificate profile.
    vim /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg
  2. Change the policyset.serverCertSet.9.default.params.crlDistPointsPointName_0 parameter to the DNS CNAME hostname.
  3. Restart the CA server.
    service pki-ca restart
That change must be made on every FreeIPA server, with the crlDistPointsPointName_0 parameter set to the same hostname.