[Freeipa-devel] Checking OCSP and CRL during certificate login
Rob Crittenden
rcritten at redhat.com
Tue Apr 11 13:24:51 UTC 2017
Pavel Vomacka wrote:
> Hello,
>
> With the recent addition of certificate mapping and certificate login
> support into WebUI, we need to handle also revoking of certificates
> which are used for login. There is ticket which requests this
> functionality: https://pagure.io/freeipa/issue/6370
>
> We (me, David and Jan) are thinking about how to achieve this and the
> way we found is following: We mark the server cert in HTTP NSS DB as
> trusted peer ('P,,') to avoid chicken and egg problem when we will need
> to contact the OCSP responder when httpd is starting. And then set
> NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside
> of OCSP is that when OCSP responder is not reachable, then the
> certificate cannot be checked and login is not allowed. Should we
> document it, or is that acceptable behavior? Is it OK to just fail?
>
> Another thing is checking CRL. The main issue here is that we don't have
> mechanism which would fetch CRL periodically from the source and
> therefore the CRL would has to be updated manually. Therefore I would go
> only with OCSP now.
mod_revocator does exactly what you are looking for.
rob
More information about the Freeipa-devel
mailing list