diff --git a/authority/config/config.go b/authority/config/config.go index f58a3354..556f5407 100644 --- a/authority/config/config.go +++ b/authority/config/config.go @@ -90,6 +90,7 @@ type CRLConfig struct { GenerateOnRevoke bool `json:"generateOnRevoke,omitempty"` CacheDuration *provisioner.Duration `json:"cacheDuration,omitempty"` RenewPeriod *provisioner.Duration `json:"renewPeriod,omitempty"` + IDPurl string `json:"idpURL,omitempty"` } // IsEnabled returns if the CRL is enabled. diff --git a/authority/tls.go b/authority/tls.go index 11c61b9e..e64bb5fa 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -773,10 +773,17 @@ func (a *Authority) GenerateCertificateRevocationList() error { NextUpdate: now.Add(updateDuration), } + // Set CRL IDP to config item, otherwise, leave as default + var fullName string + if a.config.CRL.IDPurl != "" { + fullName = a.config.CRL.IDPurl + } else { + fullName = a.config.Audience("/1.0/crl")[0] + } + // Add distribution point. // // Note that this is currently using the port 443 by default. - fullName := a.config.Audience("/1.0/crl")[0] if b, err := marshalDistributionPoint(fullName, false); err == nil { revocationList.ExtraExtensions = []pkix.Extension{ {Id: oidExtensionIssuingDistributionPoint, Value: b},