External CRL Storages

Creating a Stream External Storage

Stream allows you to push your CRLs into other Stream instances upon generation, but it requires to create an external Stream CRL storage in the product first. This section also assumes that you have already configured Password or Certificate credentials for the desired stream instance.

To configure an external Stream CRL storage:

1. Log in to the Stream Administration Interface ;

2. Go to Revocation management  External CRL Storage and click on add external CRL storage ;

3. Fill in the information :

  • Select the Type* of external CRL storage, Stream for a Stream storage

  • The Name* to give to that external storage

  • The Description to add more details about this storage

  • Select a list of notifications to send On execution error to be alerted if the push to the Stream instance fails

  • Add the technical name of the CA you wish to push the CRL to. 3 cases can occur:

    • the technical name of the CAs are aligned on both instances: the field should be left blank, as the trigger will by default use the technical name of the CA the CRL is linked to.

    • the technical name of the CAs on the other instance can be deduced from the technical name on the current instance. A template string can be used to format the name correctly.

    • the technical names are not linked in any way. The technical name on the other instance should be fully spelled out, and a trigger defined for each CA (using duplication duplicate icon)

  • Enter the Endpoint* of your other Stream instance. This should include the protocol (https://).

  • Select a Credential* to connect to the Stream instance. Only credentials on the Stream target can be selected.

  • Choose a Timeout for the push request

  • Add a Proxy to use to connect to the instance, if any

4. Once you’ve filled all the information, click "Add"

The External CRL Storage is now created and can be used in CA configuration.

Creating an S3 External CRL Storage

Stream allows you to push your CRLs into S3 buckets upon generation, but it implies to configure an external storage first. This section also assumes you have already configured Password credentials for a cloud provider if you want to use a cloud storage solution.

To configure an external S3 CRL storage:

1. Log in to the Stream Administration Interface ;

2. Go to Revocation management  External CRL Storage and click on add external CRL storage ;

3. Fill in the information :

  • Select the Type* of external CRL storage, Amazon S3 for an S3 storage

  • The Name* to give to that external storage

  • The Description to add more details about this storage

  • Select a list of notifications to send On execution error to be alerted if the push to the CRL storage fails

  • Add the Bucket* of your S3 storage

  • Select a Credential to connect to the S3 server (AWS format). Only credentials on the AWS target can be selected. If no credentials are specified, environment variable values will be used to establish connection.

  • Add a Role Arn to use when connecting to the S3 provider (only applicable for AWS)

  • Select the Region to use if the S3 is in the cloud (AWS, GCP)

  • Add a Proxy to use to connect to the external storage, if any

  • If not using an AWS S3 Bucket, add the S3 Endpoint

  • Choose whether to Force path style in URL name

  • Reconfigure the CRL Alias. By default, the S3 object key will be the technical name of the CA with .crl extension. Using template strings, this name can be modified. For example, if the file should be named with an uppercase of the CA’s CN with the .pem extension, CRL Alias will be {{ Upper({{ca.signer.dn.cn.1}}) }}.pem

4. Once you’ve filled all the information, click "Add"

The External CRL Storage is now created and can be used in CA configuration.

Creating an LDAP External Storage

Stream allows you to push your CRLs into LDAP directories upon generation, but it requires to create an external LDAP storage in the product first. This section also assumes that you have already configured Password credentials for the desired LDAP directory.

To configure an external LDAP CRL storage:

1. Log in to the Stream Administration Interface ;

2. Go to Revocation management  External CRL Storage and click on add external CRL storage ;

3. Fill in the information :

  • Select the Type* of external CRL storage, LDAP for an LDAP storage

  • The Name* to give to that external storage

  • The Description to add more details about this storage

  • Select a list of notifications to send On execution error to be alerted if the push to the CRL storage fails

  • Add the Host*, IP or hostname of the LDAP server where the CRL will be pushed into. Don’t add "ldap://" or "ldaps://" in the beginning

  • Add the Port* on which the LDAP server is running (default is 389 for LDAP and 636 for LDAPS)

  • Select a Credential* to connect to the LDAP server. Only credentials on the LDAP target can be selected.

  • Add a Proxy to use to connect to the external storage, if any

  • Enter a Base DN* that points the LDAP category to publish the CRL into

  • Enter a LDAP search Filter* to find the resource where to publish the CRL into. Example : (objectclass=cRLDistributionPoint)

  • Define the CRL Attribute*, the resource attribute to publish the CRL into

  • Choose whether to allow Stream to follow LDAP referral URLs

  • Choose whether to use the Secure LDAPS protocol instead of the regular LDAP protocol

  • Choose whether to Disable hostname validation, allowing Stream to connect to the LDAP server in LDAPS even if the server certificate does not have the specified hostname as a DNS SAN (only if Secure is turned on)

4. Once you’ve filled all the information, click "Add"

The External CRL Storage is now created and can be used in CA configuration.

Creating an SCP External Storage

Stream allows you to push your CRLs into any server supporting the SCP protocol upon generation. This section also assumes that you have already configured SSH credentials for the desired server.

To configure an external SCP CRL storage:

1. Log in to the Stream Administration Interface ;

2. Go to Revocation management  External CRL Storage and click on add external CRL storage ;

3. Fill in the information :

  • Select the Type* of external CRL storage, SCP for an SCP storage

  • The Name* to give to that external storage

  • The Description to add more details about this storage

  • Select a list of notifications to send On execution error to be alerted if the push to the CRL storage fails

  • Add the Host*, IP or hostname of the SCP server where the CRL will be pushed into.

  • Add the Port* on which the SCP server is running (default is 22 for SSH)

  • Select a Credential* to connect to the SCP server. Only credentials on the SCP/SFTP target can be selected.

  • Choose a Timeout for the SCP request

  • Choose whether to Use compression when pushing the CRL

  • Enter a known Fingerprint to use mutual authentication. If nothing is specified, no fingerprint check will occur.

  • Define the Path* where to push the CRL. Using template strings, this path can be dynamically set. For example, if the crl should be pushed to the crls root folder with a filename being an uppercase of the CA’s CN with the .pem extension, path will be /crls/{{ Upper({{ca.signer.dn.cn.1}}) }}.pem

4. Once you’ve filled all the information, click "Add"

The External CRL Storage is now created and can be used in CA configuration.

Creating an SFTP External Storage

Stream allows you to push your CRLs into any server supporting the SFTP protocol upon generation. This section also assumes that you have already configured SSH credentials for the desired server.

To configure an external SFTP CRL storage:

1. Log in to the Stream Administration Interface ;

2. Go to Revocation management  External CRL Storage and click on add external CRL storage ;

3. Fill in the information :

  • Select the Type* of external CRL storage, SFTP for an SFTP storage

  • The Name* to give to that external storage

  • The Description to add more details about this storage

  • Select a list of notifications to send On execution error to be alerted if the push to the CRL storage fails

  • Add the Host*, IP or hostname of the SFTP server where the CRL will be pushed into.

  • Add the Port* on which the SFTP server is running (default is 22 for SSH)

  • Select a Credential* to connect to the SFTP server. Only credentials on the SCP/SFTP target can be selected.

  • Choose a Timeout for the SFTP request

  • Choose whether to Use compression when pushing the CRL

  • Enter a known Fingerprint to use mutual authentication. If nothing is specified, no fingerprint check will occur.

  • Define the Path* where to push the CRL. Using template strings, this path can be dynamically set. For example, if the crl should be pushed to the crls root folder with a filename being an uppercase of the CA’s CN with the .pem extension, path will be /crls/{{ Upper({{ca.signer.dn.cn.1}}) }}.pem

4. Once you’ve filled all the information, click "Add"

The External CRL Storage is now created and can be used in CA configuration.