Configuring an external storage for your CRLs

Creating an S3 External CRL Storage

Stream allows you to push your CRLs into S3 buckets upon generation, but it implies to configure an external storage first. This section also assumes you have already configured credentials for a cloud provider if you want to use a cloud storage solution.

To configure an external S3 CRL storage:

1. Log in to the Stream Administration Interface ;

2. Go to Certification Authorities > External CRL Storage and click on add_external_crl_storage ;

3. Fill in the information :

  • Type (select): The type of external CRL storage (mandatory, select Amazon S3)

  • Name (string input) : The name to give to that external storage (mandatory)

  • Description (string input) : An optional description for that external storage

  • Bucket (string input) : The name of the S3 bucket to store CRLs into (mandatory)

  • Credential (select) : The credential to use to connect to the S3 server (AWS format)

  • Role Arn (string input) : The RoleArn to use when connecting to the S3 provider (only applicable for AWS)

  • Region (string input) : The cloud region to use if the S3 is in the cloud (AWS, GCP)

  • Proxy (select) : The proxy to use to connect to the external storage, if any

  • Endpoint (string input) : The S3 endpoint to use (if not using an AWS S3 Bucket)

  • Force path style (boolean) : If turned on, forces path style in URL name

4. Once you’ve filled all the information, click "Add"

The External CRL Storage is now created and can be used in CA details.

Creating an LDAP External Storage

Stream allows you to push your CRLs into LDAP directories upon generation, but it requires to create an external LDAP storage in the product first. This section also assumes that you have already configured credentials for the desired LDAP directory.

To configure an external LDAP CRL storage:

1. Log in to the Stream Administration Interface ;

2. Go to Certification Authorities > External CRL Storage and click on add_external_crl_storage ;

3. Fill in the information :

  • Type (select): The type of external CRL storage (mandatory, select LDAP)

  • Name (string input) : The name to give to that external storage (mandatory)

  • Description (string input) : An optional description for that external storage

  • Host (string input) : The hostname of the LDAP server where the CRL will be pushed into. Don’t add "ldap://" or "ldaps://" in the beginning (mandatory)

  • Port (int input) : The port on which the LDAP server is running (default is 389 for LDAP and 636 for LDAPS) (mandatory)

  • Base DN (string input) : The LDAP base DN where to publish the CRL into (mandatory)

  • Filter (string input) : The LDAP search filter to find the resource where to publish the CRL into (mandatory). Example : (objectclass=cRLDistributionPoint)

  • CRL Attribute (string input) : The resource attribute to publish the CRL into (mandatory)

  • Follow referrals (boolean) : Whether to allow Stream to follow LDAP referral URLs

  • Secure (boolean) : Whether to use the LDAPS protocol instead of the regular LDAP protocol

  • Disable hostname validation (boolean) : Whether to allow Stream to connect to the LDAP server in LDAPS even if the server certificate does not have the specified hostname as a DNS SAN (only if Secure is turned on)

4. Once you’ve filled all the information, click "Add"

The External CRL Storage is now created and can be used in CA details.