mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Add OCSP and CRL URIs to certificates
Modify the default IPA CA certificate profile to include CRL and OCSP extensions which will add URIs to IPA CRL&OCSP to published certificates. Both CRL and OCSP extensions have 2 URIs, one pointing directly to the IPA CA which published the certificate and one to a new CNAME ipa-ca.$DOMAIN which was introduced as a general CNAME pointing to all IPA replicas which have CA configured. The new CNAME is added either during new IPA server/replica/CA installation or during upgrade. https://fedorahosted.org/freeipa/ticket/3074 https://fedorahosted.org/freeipa/ticket/1431
This commit is contained in:
Martin Kosek
committed by
Rob Crittenden
Rob Crittenden
parent
0d836cd6ee
commit
867f7691e9
@@ -24,3 +24,6 @@ _kerberos-master._udp IN SRV 0 100 88 $HOST
|
||||
_kpasswd._tcp IN SRV 0 100 464 $HOST
|
||||
_kpasswd._udp IN SRV 0 100 464 $HOST
|
||||
$OPTIONAL_NTP
|
||||
|
||||
; CNAME for IPA CA replicas (used for CRL, OCSP)
|
||||
$IPA_CA_CNAME IN CNAME $HOST
|
||||
|
||||
Reference in New Issue
Block a user