> Can we even revoke these certificates when we are not the issuer? I don't believe it's technically possible via OCSP, and it would be unusual for CRL but I believe it's technically possible.
> I was thinking we could because > all we are doing when we run the openSSL command to revoke a certificate is > adding it to our CRL that our applications use. We are not really revoking > the certificate -making it invalid for use across the DoD - since that is > the job of the issuer (in this case DoD). I believe that will work if you use a static CRL; in CAS terms, ResourceCRLRevocationChecker. It would not be possible by examining the crlDistributionPoints extension field, which would presumably list a CRL maintained by the issuer. > My plan was to take the Server Certificate we generated (our CA) and add the > crlDistributionPoints section to my openSSL configuration file, then > regenerate the Server Certificate. You're planning around the wrong certificate. You would be examining that field on the certificate presented by the _client_, which is issued by DoD and over which you have no control. Plan around the component I mentioned above, which would allow you to reference a CRL under your control and which you could examine after the SSL handshake completes and you get inside the CAS Web application. You would reject the certificate by the X509CredentialsAuthenticationHandler wired up with ResourceCRLRevocationChecker. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
