Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3559

Service for populating database with revocation status of certificates from CRL


    • Issue discovered during:


      EJBCA can act a as a stand-alone OCSP responder for another CA.

      To allow basic integration with non-EJBCA systems¹ we should provide a new Service that at regular intervals downloads a CRL and populates the local database with revocation information.


      • Improve page for editing "External CA"s so an external CDP can be specified and saved.
      • New EJBCA Service that
        • processes the configured CAs and downloads the CRL² for each external CA with a configured external CDP.
        • verifies that the signature of the CRL.
        • compares the CRL to the currently last known CRL
        • stores the new CRL in the database, so it could be served through the public web
        • uses the new CRL to populate CertificateData entries for the entries in the CRL³.

      ¹ Improved EJBCA CA to EJBCA VA integration will be handled under ECA-3144. This is currently normally handled using VAPublisher on the CA.
      ² Delta CRL support is not within the scope of this issue, but support could be added later on.
      ³ Due to the nature of CRLs, only information about revoked certificates will be present in the database and not the actual certificates or other meta data.


          Issue Links



              • Assignee:
                johan Johan Eklund
                johan Johan Eklund
                Verified by:
                Mike Agrenius Kushner
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: