Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7313

Change mime type for CRLs from application/x-x509-crl to application/pkix-crl as defined in RFC5280

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.0.0
    • Component/s: None
    • Labels:
      None
    • Issue discovered during:
      Community
    • Sprint:
      EJBCA Sprint 20

      Description

      As reported in the Forum:

       


      Hi EJBCA team,

      Again, thank you for this wonderful product, i'm using it a lot and will present it in a conference in Marseille, France as a good PKI solutions for Small and Medium Enterprises which needs a PKI.
      Also, @anatom, thanks for the new setup instructions based on a previous discussion we had few months ago, they are a lot clearer

      I'm here to ask/advice for a modification request for your next release:
      CRL download URLs, such as
      https://(redacted)/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=(redacted)
      and
      https://(redacted)/ejbca/publicweb/webdist/certdist?cmd=deltacrl&issuer=CN=(redacted)
      as recommanded when creating certificates for CRL Distribution Points and X509v3 Freshest CRL returns a HTTP Header 'Content-Type' set at 'application/x-x509-crl'

      But from the RFC5280 named Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, section 4.2.1.13 (URL: https://tools.ietf.org/html/rfc5280#section-4.2.1.13 ), the 'Content-Type' should be 'application/pkix-crl'

      I modified my own EJBCA source code, the only place I found it was in modules/ejbca-webdist-war/src/org/ejbca/ui/web/pub/CertDistServlet.java line 219
      from
      res.setContentType("application/x-x509-crl");
      to
      res.setContentType("application/pkix-crl");
      Then i ran a
      $ cd ~/ejbca && ant clean deployear
      And now, requests are with the recommanded 'Content-Type' header.

      Maybe there's a reason for this header to have this value (compatibility support with something, request from somebody). In that case, ignore this.

      Thanks,

      Max @ KeeeX


        Attachments

          Activity

            People

            • Assignee:
              tomas Tomas Gustavsson
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Samuel Lidén Borell
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 hour
                1h
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h