CRL Download for an "Active CA"

[qa-denis-huber]

Hello,

we are using EJBCA as an OCSP Responder in our project. We have different CAs and want to import CRLs for each CA from an external PKI.

We configured a CA "CA_1" with a certificate (but without a private key). And we configured a CA "CA_2" with a keypair. We configured a "CRL download service" with the CRLDownloadWorker class and set the URLs of the CRL endpoints for each CA. While CA_1 downloads its CRL, CA_2 does not download its CRL. Instead the CRL download service logs an error:

CA_2 is not an external X509 CA. Ignoring.

My observation is that EJBCA classifies CA_1 as an "External CA" and CA_2 as an "Active CA". Also, EJBCA only allows External CAs to download CRLs.

Is there another way for CA_2 to fetch and import its CRL?

Best regards,
Denis

[primetomas]

If you have a key pair, it is a CA, and not pointing to another CA. In that case you generated the CRL in EJBCA. The CRL is then in the database (directly when it is generated) and you don't need to download it from somewhere else. In this case the OCSP responder does not use or need a CRL, since all issued certificates from this CA are in the database.

[qa-denis-huber]

Hello Tomas, thank you for your fast answer.

The PKI is mostly independent from the OCSP responder and not in our hand. We only host the OCSP responder for the CA. Due to compatibility issues with some clients, we have to sign OCSP responses with the private key of the CA itself.
That's why we have a copy of the private key in the OCSP responder.

[primetomas]

Ah, hmm, that is an unusual use case...
So it seems the CRL downloader does not support this, as it sees a CA with a private key as a "real CA" and does not expect externally generated CRLs from that.
If you can script a bit, you can use the CLI to import CRLs and generate any missing entries in the database, so the OCSP responder answers correctly.

bin/ejbca.sh ca importcrl --help

[qa-denis-huber]

Thanks Tomas,
bin/ejbca.sh ca importcrl works for us 👍