Configuring Crl Publishing To Resume After Interrupted Downloads - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Publishing CRLs over HTTP gives some robustness to how the CRLs are published. The publishing
process can be interruped and resumed smoothly. It also gives flexibility for retrieving CRLs, since
they can be downloaded using tools like wget.
8.3.1. Configuring CRL Publishing to Resume after Interrupted
Downloads
CRLs can be very large, so downloading CRLs can take a very long time. If the process is interrupted,
then downloading has to begin all over again to publish the entire CRL.
Certificate System can publish CRLs to a plain file and then allow it to be downloaded over HTTP 1.1.
Additionally, Certificate System can publish compressed (zipped) CRLs which use byte ranges to track
the compressed contents, so that the download progress can be tracked and, if it is interrupted, the
download can resume at the point where it dropped off.
Using HTTP 1.1 allows the client to avoid fetching a CRL which has already been retrieved.
To do this, the Certificate Manager publishes the CRL to a file and uses the Certificate Manager's web
server to handle the HTTP 1.1 downloads.
Configuring the CA publishing to allow CRL downloads to resume after interruptions requires
configuring two things:
• A CRL file publisher pointing to the Certificate Manager's web server directory
• Settings in the Certificate Manager web server configuration to allow the published CRL file to be
downloaded
To configure CRL publishing over HTTP 1.1:
1. Create the directory to which to publish the CRL files. For example:
mkdir /var/lib/pki-ca/webapps/ca/ee/ca/crl
2. Open the console for the Certificate Manager.
pkiconsole https://server.example.com:9445/ca
3. In the left menu, open the Publishing folder, and select the Publishers link.

Configuring CRL Publishing to Resume after Interrupted Downloads

223