CRL publishing through Admin GUI

newtoejbca
2011-08-29
2013-02-18
  • newtoejbca
    newtoejbca
    2011-08-29

    Version: EJBCA 4.0.3
    Jboss: Jboss 5.1.0
    Database: Oracle

    I have followed instructions to create a "CRL generation Service" through Admin GUI specified at - http://www.ejbca.org/adminguide.html#CRL generation

    But i am getting the Revoked certificates in the Revocation list for the CA that i have downloaded from the Public GUI-> Fetch CA CRLs link.

    When i run the "Create CRL" function from the Admin GUI the Revocation List works fine.

     
  • newtoejbca
    newtoejbca
    2011-08-29

    Do we need to perform any other step to get the correct CRL from the Public GUI. i dont want to manually "Create CRL" from the Admin GUI everytime i revoke a certificate.

     

  • Anonymous
    2011-08-29

    This is probably what you are looking for:

    http://www.ejbca.org/adminguide.html#CRL Update service worker

    Anders

     
  • newtoejbca
    newtoejbca
    2011-09-09

    Hi,

    We did that. We have added a CRL Update service worker from the "Edit Services" page.

    The EJBCA logs are also showing that  "Service CRLUpdater executed successfully."  But it has no effect on the CRL. We  have to run the "Create CRL" function from the Admin GUI to get the correct Revocation List.

    Seems like "Service CRLUpdater" is not working fine here.

     

  • Anonymous
    2011-09-10

    Hi
    Did you mark (select) the publisher i Edit Certificate Authorities for the CA in question?
    It is easy to forget this.

    Anders

     
  • Dear all,

    we are using ejbca_4_0_12 and we are probably facing the same issue.
    We set up a CRL Updater service, checking the CRL of our CA instance
    every 5 minutes. The service is Active and is checked on the
    corresponding CA configuration under the box "Publishers".

    The service seems to be correctly executed, as can be seen from the logs:

    05:15:10,297 INFO   2012-11-02 05:15:10+01:00, CAId : 0,
    SERVICE, EVENT_INFO_SERVICEEXECUTED, Administrator : INTERNALUSER, User
    : No user involved, Certificate : No certificate involved, Comment :
    Service CRL-Updater executed successfully.

    05:20:28,391 INFO   2012-11-02 05:20:28+01:00, CAId : 0,
    SERVICE, EVENT_INFO_SERVICEEXECUTED, Administrator : INTERNALUSER, User
    : No user involved, Certificate : No certificate involved, Comment :
    Service CRL-Publisher executed successfully.

    Nevertheless, if we revoke a certificate and wait for the next CRL
    Updater execution, the CRL is not updated and clicking on Basic
    Functions -> Get CRL returns a file which does not contain the new
    revoked certificate sn.
    We have to manually force the CRL update using the "Create CRL" button
    or wait for a new CRL to be created because of the "expiration" date.

    Do you have any suggestions?

    Thanks and regards,
    Marco B

     
  • Hi,

    Generating CRLs based on the expiretime, and time settings in CA config, is the correct behaviour. Time based CRL generation is the standard way of doing things in most RFCs and specification.

    If you want to automatically generate a new CRL every time you revoke something you can for example use a script publisher that triggers a CRL generation every time a certificate is revoked, or a custom publisher, or a custom service…

    Cheers,
    Tomas


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/