Marvin, Thanks again for the help. I am starting experiment with the ResourceCRLRevocationChecker that you recommended. When you mention wiring up the X509CredentialsAuthenticationHandler with the ResourceCRLRevocationChecker do you mean updating the deployerConfigContext.xml similar to: https://github.com/Jasig/cas/blob/master/cas-server-support-x509/src/main/resources/deployerConfigContext.xml
I guess what I am still missing is how does the actual CRL file (that I would generate with OpenSSL) get recognized by the CAS web application to do the actual comparison? How do I point the CAS code to the CRL file? I don't see how to do this in the deployerConfigContext.xml? Thanks Schawn ________________________________ From: Marvin Addison <[email protected]> To: [email protected] Sent: Wednesday, February 13, 2013 9:24 AM Subject: Re: [cas-user] CAS support for CRL > Can we even revoke these certificates when we are not the issuer? I don't believe it's technically possible via OCSP, and it would be unusual for CRL but I believe it's technically possible. > I was thinking we could because > all we are doing when we run the openSSL command to revoke a certificate is > adding it to our CRL that our applications use. We are not really revoking > the certificate -making it invalid for use across the DoD - since that is > the job of the issuer (in this case DoD). I believe that will work if you use a static CRL; in CAS terms, ResourceCRLRevocationChecker. It would not be possible by examining the crlDistributionPoints extension field, which would presumably list a CRL maintained by the issuer. > My plan was to take the Server Certificate we generated (our CA) and add the > crlDistributionPoints section to my openSSL configuration file, then > regenerate the Server Certificate. You're planning around the wrong certificate. You would be examining that field on the certificate presented by the _client_, which is issued by DoD and over which you have no control. Plan around the component I mentioned above, which would allow you to reference a CRL under your control and which you could examine after the SSL handshake completes and you get inside the CAS Web application. You would reject the certificate by the X509CredentialsAuthenticationHandler wired up with ResourceCRLRevocationChecker. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
