Univention Bugzilla – Full Text Bug Listing |
Summary: | Keep CRL up to date | ||
---|---|---|---|
Product: | UCS | Reporter: | Janis Meybohm <meybohm> |
Component: | SSL | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
Severity: | enhancement | ||
Priority: | P5 | CC: | gohmann, grandjean, gulden, hahn |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Janis Meybohm
2014-08-29 10:05:13 CEST
FYI: The certificate Baseline Requirements of the CA/Browser Forum define: > the CA SHALL update and reissue CRLs at least once every seven days, > and the value of the "nextUpdate" field MUST NOT be more than ten days > beyond the value of the "thisUpdate" field https://cabforum.org/baseline-requirements-documents/ 2015111221000416 Just for completeness: if someone is using the script from comment #0 and wants to reduce the value of "nextUpdate", the script can be extended with the "-crldays" option: -- #!/bin/bash nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')" if [ $(date -u -d "$nextUpdate" '+%s') -lt $(date -u '+%s') ]; then openssl ca \ -config /etc/univention/ssl/openssl.cnf \ -gencrl -out /etc/univention/ssl/ucsCA/crl/crl.pem \ -crldays 7 \ -passin file:/etc/univention/ssl/password openssl crl \ -in /etc/univention/ssl/ucsCA/crl/crl.pem \ -out /etc/univention/ssl/ucsCA/crl/ucsCA.crl \ -inform pem -outform der cp /etc/univention/ssl/ucsCA/crl/ucsCA.crl /var/www/ fi -- Nevertheless, the value for crldays/nextUpdate should be configurable via UCR. r70576 | Bug #35748 ssl: Re-generate CRL periodically Package: univention-ssl Version: 10.0.0-12.169.201606231402 Branch: ucs_4.1-0 Scope: errata4.1-2 r70577 | Bug #31369,Bug #39257,Bug #24094,Bug #40498,Bug #25285,Bug #35748: ssl YAML univention-ssl.yaml Code review: OK Tests: OK Advisory: OK |