Task #905
closed
Wrong validation for expired CRL in validate_cert
100%
Description
When I have expired CRL, then "validate_cert" command does not return correct validation error.
Updated by Petr Fišer over 6 years ago
This is not a bug per-se because admin should ensure the CRL is regenerated on a regular basis (i.e. via cronjob). However it is not a safe behavior either.
I will modify the code to check if the CRL is not expired. If it is, the validation will fail.
The CAW should also have an explicit parameter to override CRL expiration check.
Updated by Radek Tomiška over 6 years ago
The another issue with this behavior is connected with revoke certificate. When certificate is revoked, CRL is not refreshed implicitly. We have to call 'create_crl' command after each certificate is revoked now.
Updated by Petr Fišer over 6 years ago
Radek Tomiška wrote:
The another issue with this behavior is connected with revoke certificate. When certificate is revoked, CRL is not refreshed implicitly. We have to call 'create_crl' command after each certificate is revoked now.
That is intended behavior. CRLs generally have regular publishing period, e.g. once a day. You are encountering this as a problem during development because you have to revoke&check, but in deployment, the CRL will be regenerated on a daily basis.
Updated by Petr Fišer over 6 years ago
- Status changed from New to In Progress
- Assignee changed from Petr Fišer to Vít Švanda
- % Done changed from 0 to 80
Changes:
- Added CRL refresh code block at the end of the revoke_cert method.
Now, when you revoke a certificate, the CRL is regenerated automatically. Subsequently, the validate_cert method should now work as expected when working with caw from IdM.
You can find new version of caw in the develop branch in the repository. Please test IdM module with it and let me know if anything.
Updated by Vít Švanda over 6 years ago
- Status changed from In Progress to Closed
- % Done changed from 80 to 100
We tested it and now it works nicely. Thanks for that.