Note: If your server is reachable using the FQDN, then use the DNS of the server instead of its IP address.
Stop the OpenXPKI service using Openxpkictl stop.
In nano /etc/openxpki/config.d/realm/ca-one/publishing.yaml, update the connectors: cdp section to the following:
class: Connector::Builtin::File::Path
LOCATION: /var/www/openxpki/CertEnroll/
file: "[% ARGS.0 %].crl"
content: "[% pem %]"
In nano /etc/openxpki/config.d/realm/ca-one/profile/default.yaml, update the following:
- crl_distribution_points: section
critical: 0
uri:
- http://FQDN of the server/CertEnroll/[% ISSUER.CN.0 %].crl
- ldap://localhost/[% ISSUER.DN %]
- authority_info_access: section
critical: 0
ca_issuers: http://FQDN of the server/CertEnroll/MYOPENXPKI.crt
ocsp: http://ocsp.openxpki.org/
Change the IP address and CA certificate name according to your CA server.
In nano /etc/openxpki/config.d/realm/ca-one/crl/default.yaml, do the following:
- If necessary, update nextupdate and renewal.
- Add ca_issuers to the following section:
extensions:
authority_info_access:
critical: 0
# ca_issuers and ocsp can be scalar or list
ca_issuers: http://FQDN of the server/CertEnroll/MYOPENXPKI.crt
#ocsp: http://ocsp.openxpki.org/
- Change the IP address and CA certificate name according to your CA server.
Start the OpenXPKI service using Openxpkictl start.