IPA/IdM Certificate Revocation Lists (CRLs) Can be Inconsistent Across IPA/IdM Masters and Replicas

Solution Unverified - Updated -


  • It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL, however this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up in the CRL on another Identity Management replica.


  • Red Hat Enterprise Linux 6.3 and earlier
  • IPA 2.2 and earlier

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content