[Freeipa-devel] Checking OCSP and CRL during certificate login
Rob Crittenden
rcritten at redhat.com
Wed Apr 12 17:24:32 UTC 2017
Pavel Vomacka wrote:
>
>
> On 04/11/2017 03:24 PM, Rob Crittenden wrote:
>> Pavel Vomacka wrote:
>>> Hello,
>>>
>>> With the recent addition of certificate mapping and certificate login
>>> support into WebUI, we need to handle also revoking of certificates
>>> which are used for login. There is ticket which requests this
>>> functionality: https://pagure.io/freeipa/issue/6370
>>>
>>> We (me, David and Jan) are thinking about how to achieve this and the
>>> way we found is following: We mark the server cert in HTTP NSS DB as
>>> trusted peer ('P,,') to avoid chicken and egg problem when we will need
>>> to contact the OCSP responder when httpd is starting. And then set
>>> NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside
>>> of OCSP is that when OCSP responder is not reachable, then the
>>> certificate cannot be checked and login is not allowed. Should we
>>> document it, or is that acceptable behavior? Is it OK to just fail?
>>>
>>> Another thing is checking CRL. The main issue here is that we don't have
>>> mechanism which would fetch CRL periodically from the source and
>>> therefore the CRL would has to be updated manually. Therefore I would go
>>> only with OCSP now.
>> mod_revocator does exactly what you are looking for.
>>
>> rob
> Thank you for mentioning mod_revocator.
> Is there any other documentation then this one:
> https://pagure.io/mod_revocator ?
> I found several more pages but they were not available.
>
No, that's pretty much it. Let me know if you have any questions.
rob
More information about the Freeipa-devel
mailing list