Task #905
closed
Wrong validation for expired CRL in validate_cert
Added by Vít Švanda over 6 years ago.
Updated over 6 years ago.
Description
When I have expired CRL, then "validate_cert" command does not return correct validation error.
- Description updated (diff)
This is not a bug per-se because admin should ensure the CRL is regenerated on a regular basis (i.e. via cronjob). However it is not a safe behavior either.
I will modify the code to check if the CRL is not expired. If it is, the validation will fail.
The CAW should also have an explicit parameter to override CRL expiration check.
The another issue with this behavior is connected with revoke certificate. When certificate is revoked, CRL is not refreshed implicitly. We have to call 'create_crl' command after each certificate is revoked now.
Radek Tomiška wrote:
The another issue with this behavior is connected with revoke certificate. When certificate is revoked, CRL is not refreshed implicitly. We have to call 'create_crl' command after each certificate is revoked now.
That is intended behavior. CRLs generally have regular publishing period, e.g. once a day. You are encountering this as a problem during development because you have to revoke&check, but in deployment, the CRL will be regenerated on a daily basis.
- Status changed from New to In Progress
- Assignee changed from Petr Fišer to Vít Švanda
- % Done changed from 0 to 80
Upon further discussion, I implemented explicit CRL refresh as a part of the certificate revocation.
Changes:
- Added CRL refresh code block at the end of the revoke_cert method.
Now, when you revoke a certificate, the CRL is regenerated automatically. Subsequently, the validate_cert method should now work as expected when working with caw from IdM.
You can find new version of caw in the develop branch in the repository. Please test IdM module with it and let me know if anything.
- Status changed from In Progress to Closed
- % Done changed from 80 to 100
We tested it and now it works nicely. Thanks for that.
Also available in: Atom
PDF
