[Freeipa-devel] Checking OCSP and CRL during certificate login
Pavel Vomacka
pvomacka at redhat.com
Tue Apr 11 11:18:07 UTC 2017
Hello,
With the recent addition of certificate mapping and certificate login
support into WebUI, we need to handle also revoking of certificates
which are used for login. There is ticket which requests this
functionality: https://pagure.io/freeipa/issue/6370
We (me, David and Jan) are thinking about how to achieve this and the
way we found is following: We mark the server cert in HTTP NSS DB as
trusted peer ('P,,') to avoid chicken and egg problem when we will need
to contact the OCSP responder when httpd is starting. And then set
NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside
of OCSP is that when OCSP responder is not reachable, then the
certificate cannot be checked and login is not allowed. Should we
document it, or is that acceptable behavior? Is it OK to just fail?
Another thing is checking CRL. The main issue here is that we don't have
mechanism which would fetch CRL periodically from the source and
therefore the CRL would has to be updated manually. Therefore I would go
only with OCSP now.
Do you think that this make sense? Comments and suggestions are more
than welcome.
--
Pavel^3 Vomacka
More information about the Freeipa-devel
mailing list