<html> <head> <style></style> </head> <body class='hmmessage'> Thanks Rob, OCSP and mod_revocator is working now fine in my tests! Great to see the mod_nss code base is more bug free and with more features than current mod_ssl implementation Luis > Date: Tue, 7 Sep 2010 15:20:31 -0400 > From: rcritten@redhat.com > To: luisneves@hotmail.com > CC: ttormo@indenova.com; mod_nss-list@redhat.com > Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication > > Luis Neves wrote: > > Thanks! > > > > Im testing in Fedora 11. Great to know the variable work, maybe Ive used > > them in the wrong place. I will test it again only in about 2 weeks as > > Im going to holidays :) > > > > Just another tricky question, how do you will check that your users > > certificates didnt got revogated? (became invalid) You will be using > > certificates issued by an external Certification Authority (CA)? > > There are two ways: OCSP or a CRL. Or three ways I suppose, you can use > both. > > OCSP is an online lookup of the certificate validity. If the client has > an OCSP provider encoded in it then that can be used and you can define > a default OCSP provider in the mod_nss configuration (1.0.6+ IIRC). > > A CRL must be loaded into the mod_nss certificate database (default is > in /etc/httpd/alias). Apache needs to be restarted for the CRL to be > seen. The NSS utility crlutil can be used to update a CRL. > > If you have both enabled and loaded then NSS will first look in the CRL > to see if the certificate is revoked. If not it checks OCSP. This saves > a round-trip. > > An alternative to loading a CRL and restarting Apache is to use another > module, mod_revocator. In this you can define a list of URLs where CRLs > can be found and they are automatically fetched and made available to > NSS without requiring a restart. > > rob </body> </html>