EJBCA can act a as a stand-alone OCSP responder for another CA.
To allow basic integration with non-EJBCA systems¹ we should provide a new Service that at regular intervals downloads a CRL and populates the local database with revocation information.
- Improve page for editing "External CA"s so an external CDP can be specified and saved.
- New EJBCA Service that
- processes the configured CAs and downloads the CRL² for each external CA with a configured external CDP.
- verifies that the signature of the CRL.
- compares the CRL to the currently last known CRL
- stores the new CRL in the database, so it could be served through the public web
- uses the new CRL to populate CertificateData entries for the entries in the CRL³.
¹ Improved EJBCA CA to EJBCA VA integration will be handled under
ECA-3144. This is currently normally handled using VAPublisher on the CA.
² Delta CRL support is not within the scope of this issue, but support could be added later on.
³ Due to the nature of CRLs, only information about revoked certificates will be present in the database and not the actual certificates or other meta data.