Name

OpenXPKI::Server::Workflow::Activity::Tools::PublishCRLs

Description

This activity publishes a single crl. The parameters crl_serial and ca_alias must be set either via activity parameters or exist in the context. crl_serial can have the value "latest" which will resolve to the crl with the highest last_update date for the issuer created by the default profile.

The list of targets can be defined via an activity parameter or is read from the CRL profile definition (see below). In either case each connector is called with the CN of the issuing ca as location. The data portion contains a hash ref with the keys pem, der and subject (issuer subject) holding the appropriate strings and issuer which is the issuer subject parsed into a hash as used in the template processing when issuing the certificates.

There are several options to handle errors when the connectors fail, details are given below (see on_error parameter).

Publication by Profile (default)

The publishing information is read from the connector at crl.<profile>.publish which must be a list of names (scalar is also ok). If the CRL to publish has no profile set (which is the default), crl.default.publish is used. Each name is expanded to the path publishing.crl.<name> which must be a connector reference.

Note: Contrary to certificate publication crl.default.publish is only used if the crl has no profile but it is not used as a global fallback if there is no publication defined for the profile!

Publication without Profile

Instead of reading the publication targets from the profile you can point the activity directly to a list of connectors by setting prefix to the base path of a hash. Each key is the internal name of the target, the value must be a connector reference.

Configuration

Example

   publish_crl_action:
       class: OpenXPKI::Server::Workflow::Activity::Tools::PublishCRL
       prefix: publishing.crl

Activity parameters

prefix / target: Enables publishing to a fixed set of connectors, disables per profile settings. Base path fot target is publishing.crl
See OpenXPKI::Server::Workflow::Role::Publish
on_error: Define what to do on problems with the publication connectors. See OpenXPKI::Server::Workflow::Role::Publish
crl_serial: The serial of the crl to publish or the keyword "latest" which pulls the CRL with the latest last_update date for the given issuer which was created with the default profile. Has precedence over the context item.
ca_alias: The alias name of the CA. Has precedence over the context item.
empty_ok: Boolean, only used in conjunction with crl_serial = latest. Will silently skip publication of no CRL is found for the given issuer.

Context parameters

ca_alias: The alias name of the CA. Activity parameter has precedence!
crl_serial: The serial of the crl to publish or the keyword "latest" which pulls the CRL with the latest last_update date for the given issuer. Activity parameter has precedence!
tmp_publish_queue: Used to temporary store unpublished targets when on_error is set.

Data Source Configuration

At the configuration path given in the prefix parameter, you must provide a list of connectors:

  publishing:
    crl:
      repo1@: connector:....
      repo2@: connector:....

To publish the crl to your webserver, here is an example connector:

    cdp:
        class: Connector::Builtin::File::Path
        LOCATION: /var/www/myrealm/
        file: "[% ARGS %].crl"
        content: "[% pem %]"

The ARGS placeholder is replaced with the CN part of the issuing ca. So if you name your ca generations as "ServerCA-1" and "ServerCA-2", you will end up with two crls at "http://myhost/myrealm/ServerCA-1.crl" resp. "http://myhost/myrealm/ServerCA-2.crl"