Issue description

Let me start by noting that my experience with certificate signing is limited.

I explored the IPA console and noticed the certificate section, which led me to expect that certificates would be issued from there. I briefly attempted this, but didn’t get very far.

Instead, I observed that certificates are generated on the workstation via an intermediate CA that itself was issued by the IPA server.

What I currently don’t fully understand is how the CRL is used within the client–server landscape. It appears to exist as a flat file on the workstation VM, and I therefore assume it is not directly reflected back into the IPA server.

Based on my reading, I would expect the CA to expose a CRL Distribution Point (CDP). It made me wonder whether the exercise could be enhanced by demonstrating how CRL updates propagate through the CDP within IPA.

Is that an incorrect understanding on my part, or does this process in fact update the CRL endpoint in IPA?

Workaround:
The student is correct in that the lab can be enhanced to demonstrate the full process to make the CRL propagation. The intention of the lab is to demonstrate the underlying mechanics of revocation and CRL generations, but it does not cover the whole process to configure a production environment for certificate revocations.
The CRL generated in the lab, should be made available and defined in the openssl configuration file, similar to the following example:

[ext]
crlDistributionPoints = cdp1
 
[cdp1]
fullname = URI:http://example.com/myca.crl,
URI:http://example.org/my.crl
 
Then  apply the new configuration and you can verify the distribution point by inspecting a generated cert. You will see something like the following:

X509v3 CRL Distribution Points:
Full Name:
URI:http://example.com/intermediate.crl.pem

The PKI lecture and lab already go beyond the scope for the course so I am not sure that we can add a full discussion of how to manage the CRLs