[Freeipa-devel] Checking OCSP and CRL during certificate login

[Pavel Vomacka]

On 04/11/2017 03:24 PM, Rob Crittenden wrote:
> Pavel Vomacka wrote:
>> Hello,
>>
>> With the recent addition of certificate mapping and certificate login
>> support into WebUI, we need to handle also revoking of certificates
>> which are used for login. There is ticket which requests this
>> functionality: https://pagure.io/freeipa/issue/6370
>>
>> We (me, David and Jan) are thinking about how to achieve this and the
>> way we found is following: We mark the server cert in HTTP NSS DB as
>> trusted peer ('P,,') to avoid chicken and egg problem when we will need
>> to contact the OCSP responder when httpd is starting. And then set
>> NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside
>> of OCSP is that when OCSP responder is not reachable, then the
>> certificate cannot be checked and login is not allowed. Should we
>> document it, or is that acceptable behavior? Is it OK to just fail?
>>
>> Another thing is checking CRL. The main issue here is that we don't have
>> mechanism which would fetch CRL periodically from the source and
>> therefore the CRL would has to be updated manually. Therefore I would go
>> only with OCSP now.
> mod_revocator does exactly what you are looking for.
>
> rob
Thank you for mentioning mod_revocator.
Is there any other documentation then this one: 
https://pagure.io/mod_revocator ?
I found several more pages but they were not available.

-- 
Pavel^3 Vomacka