Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3559

Service for populating database with revocation status of certificates from CRL

    Details

    • Issue discovered during:
      Integration

      Description

      EJBCA can act a as a stand-alone OCSP responder for another CA.

      To allow basic integration with non-EJBCA systems¹ we should provide a new Service that at regular intervals downloads a CRL and populates the local database with revocation information.

      Tasks:

      • Improve page for editing "External CA"s so an external CDP can be specified and saved.
      • New EJBCA Service that
        • processes the configured CAs and downloads the CRL² for each external CA with a configured external CDP.
        • verifies that the signature of the CRL.
        • compares the CRL to the currently last known CRL
        • stores the new CRL in the database, so it could be served through the public web
        • uses the new CRL to populate CertificateData entries for the entries in the CRL³.

      ¹ Improved EJBCA CA to EJBCA VA integration will be handled under ECA-3144. This is currently normally handled using VAPublisher on the CA.
      ² Delta CRL support is not within the scope of this issue, but support could be added later on.
      ³ Due to the nature of CRLs, only information about revoked certificates will be present in the database and not the actual certificates or other meta data.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                johan Johan Eklund
                Reporter:
                johan Johan Eklund
                Verified by:
                Mike Agrenius Kushner
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: