diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-10-09 10:40:20 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-10-09 19:24:43 -0400 |
| commit | 392097f20673708a684da168aec302da7ccda9a6 (patch) | |
| tree | 94406708a2008a6f0367ff0038372a2c1bda23de /install/conf | |
| parent | 1dd103bc8c445a1fe4f5ab59a1e6a343a8984305 (diff) | |
| download | freeipa-392097f20673708a684da168aec302da7ccda9a6.tar.gz freeipa-392097f20673708a684da168aec302da7ccda9a6.tar.xz freeipa-392097f20673708a684da168aec302da7ccda9a6.zip | |
Configure the initial CA as the CRL generator.
Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.
https://fedorahosted.org/freeipa/ticket/3051
Diffstat (limited to 'install/conf')
| -rw-r--r-- | install/conf/ipa-pki-proxy.conf | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf index 20c09217a..8c4f3a9b6 100644 --- a/install/conf/ipa-pki-proxy.conf +++ b/install/conf/ipa-pki-proxy.conf @@ -3,7 +3,7 @@ ProxyRequests Off # matches for ee port -<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange"> +<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL"> NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate NSSVerifyClient none ProxyPassMatch ajp://localhost:$DOGTAG_PORT @@ -25,3 +25,6 @@ ProxyRequests Off ProxyPassMatch ajp://localhost:$DOGTAG_PORT ProxyPassReverse ajp://localhost:$DOGTAG_PORT </LocationMatch> + +# Only enable this on servers that are not generating a CRL +${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC] |