The myproxy-server rejects revoked certificates. It checks CRLs by default and can be optionally configured to query OCSP. It's not necessary to use OCSP if you have CRLs in place. The myproxy-server reads the CRL files in /etc/grid-security/certificates for every request, so it immediately discovers any updates to the CRL files.
I ran my own tests to confirm. With no CRL in place I get: $ myproxy-init -s localhost -c 0 Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney Creating proxy ................................... Done Proxy Verify OK Your proxy is valid until: Fri Jan 18 03:35:17 2013 Enter MyProxy pass phrase: Verifying - Enter MyProxy pass phrase: A proxy valid for 11 hours (0.5 days) for user jbasney now exists on localhost. When I create a CRL revoking my certificate and install it in /etc/grid-security/certificates on my myproxy-server, I get: $ myproxy-init -s localhost -c 0 Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney Creating proxy .................. Done Proxy Verify OK Your proxy is valid until: Fri Jan 18 03:35:17 2013 Error authenticating: GSS Major Status: Authentication Failed GSS Minor Status Error Chain: globus_gss_assist: Error during context initialization globus_gsi_gssapi: Unable to verify remote side's credentials globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake OpenSSL Error: /SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102: in library: SSL routines, function SSL3_READ_BYTES: sslv3 alert certificate revoked SSL alert number 44 When I install the CRL on the client side, I get an earlier error, because myproxy-init verifies the credential before trying to use it: $ myproxy-init -s localhost -c 0 -v Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney Creating proxy ................ Done Error: Couldn't verify the authenticity of the user's credential to generate a proxy from. grid_proxy_init.c:971: globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: The certificate has been revoked: Serial number = 57 (0x39) Subject=/O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney grid-proxy-init failed So my guess is your certificate's serial number isn't listed in the CRL you generated, or you didn't install the CRL in /etc/grid-security/certificates/<hash>.r0 on the myproxy-server. You can use openssl to check if your certificate is revoked: $ openssl verify \ -CApath /etc/grid-security/certificates -crl_check usercert.pem usercert.pem: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney error 23 at 0 depth lookup:certificate revoked $ openssl crl -text -noout -in 86863cfb.r0 Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Globus Simple CA Last Update: Jan 17 21:41:27 2013 GMT Next Update: Jan 31 21:41:27 2013 GMT Revoked Certificates: Serial Number: 39 Revocation Date: Jan 17 21:40:23 2013 GMT Signature Algorithm: sha1WithRSAEncryption 28:9b:1f:f0:15:50:a5:43:d5:57:d1:e2:2c:f4:ac:91:56:04: 6a:f1:bc:52:b7:e0:56:83:58:16:82:30:fc:ed:23:e2:1a:8d: b0:db:89:ee:3c:1a:12:20:b1:46:d0:ef:e6:c0:d8:26:76:2d: 8a:19:6f:11:bd:bd:4e:de:3a:e4:99:d2:76:b8:fb:bb:32:6d: cf:ca:71:70:f3:5e:dd:7c:ee:e3:98:1b:cc:59:c3:69:f4:03: 9f:f2:0b:3e:66:14:dc:1b:ab:93:57:30:48:56:25:d9:05:b8: c2:6b:04:7f:ce:40:c1:7c:51:0d:c3:b5:30:f2:37:2b:b5:e4: 43:cb $ openssl x509 -noout -serial -in usercert.pem serial=39 On 1/17/13 3:15 PM, leo_cu...@lavabit.com wrote: > Is it posible to avoid the storage of a credential for revoked certificates? > > I found something interesting in myproxy-server.config comments, like the > ocsp protocol used to check the validity of credentials stored in the > myproxy-server repository before they may be delegated to an user. But in > this case do I have to enable an OCSP server with a crl distribution site > in order to achieve my task? I haven't found how to make myproxy > automatically "discover" the revoked certificates from the crl certificate > in /etc/grid-security/certificates, so that stop making proxy certificates > to revoked certificates. > > I created a certificate and key pair with a CA of my own. I test the > myproxy-init and myproxy-logon: all ok. I follow revoking this > certificate, download the ca new crl and rewrite the > /etc/grid-security/certificates/<hash>.r0 file, but I was yet able to > store the credentials of the revoke certificate.