You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary:
The nextUpdate field in the OCSP Response is based on the nextUpdate field of the MasterCRL cache.
Whenever a new CRL is generated the nextUpdate field is updated in the MasterCRL cache.
In the Master CA OCSP response, the nextUpdate field is updated correctly to show the latest nextUpdate value.
In the Clone CA OCSP response, the nextUpdate field is never updated, eventually resulting in an invalid OCSP response because the nextUpdate field is in the past.
For clarity, this issue affects the CA subsystem. I have not looked into the OCSP subsystem.
For example:
This Update: Mar 22 09:54:08 2025 GMT
Next Update: Mar 22 09:44:00 2025 GMT
Steps to reproduce:
Install pki-ca on a master and a clone instance
Spawn master CA instance and then spawn a clone CA instance, using default settings.
Configure the following settings on Master and Clone:
ca.crl.MasterCRL.cacheUpdateInterval=15
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCacheRecovery=true
ca.crl.MasterCRL.enableCacheTesting=false
ca.crl.MasterCRL.autoUpdateInterval=5
ca.crl.MasterCRL.enableUpdateInterval=true
ca.crl.MasterCRL.minUpdateInterval=0
ca.ocspUseCache=true
And restart the CA instances.
Wait 5 minutes, then do an OCSP check on the Clone CA.
Expected result:
OCSP response with:
thisUpdate = now
nextUpdate = anywhere between now and 5 minutes in the future.
Actual result:
OCSP response with:
thisUpdate = now
nextUpdate = timestamp in the past.
The text was updated successfully, but these errors were encountered:
Summary:
The nextUpdate field in the OCSP Response is based on the nextUpdate field of the MasterCRL cache.
Whenever a new CRL is generated the nextUpdate field is updated in the MasterCRL cache.
In the Master CA OCSP response, the nextUpdate field is updated correctly to show the latest nextUpdate value.
In the Clone CA OCSP response, the nextUpdate field is never updated, eventually resulting in an invalid OCSP response because the nextUpdate field is in the past.
For clarity, this issue affects the CA subsystem. I have not looked into the OCSP subsystem.
For example:
This Update: Mar 22 09:54:08 2025 GMT
Next Update: Mar 22 09:44:00 2025 GMT
Build:
idm-pki-ca-11.5.1-1.el9.noarch, AlmaLinux 9
Steps to reproduce:
Install pki-ca on a master and a clone instance
Spawn master CA instance and then spawn a clone CA instance, using default settings.
Configure the following settings on Master and Clone:
ca.crl.MasterCRL.cacheUpdateInterval=15
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCacheRecovery=true
ca.crl.MasterCRL.enableCacheTesting=false
ca.crl.MasterCRL.autoUpdateInterval=5
ca.crl.MasterCRL.enableUpdateInterval=true
ca.crl.MasterCRL.minUpdateInterval=0
ca.ocspUseCache=true
And restart the CA instances.
Wait 5 minutes, then do an OCSP check on the Clone CA.
Expected result:
OCSP response with:
thisUpdate = now
nextUpdate = anywhere between now and 5 minutes in the future.
Actual result:
OCSP response with:
thisUpdate = now
nextUpdate = timestamp in the past.
The text was updated successfully, but these errors were encountered: