With the recent addition of certificate mapping and certificate login support into WebUI, we need to handle also revoking of certificates which are used for login. There is ticket which requests this functionality: https://pagure.io/freeipa/issue/6370

We (me, David and Jan) are thinking about how to achieve this and the way we found is following: We mark the server cert in HTTP NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when we will need to contact the OCSP responder when httpd is starting. And then set NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside of OCSP is that when OCSP responder is not reachable, then the certificate cannot be checked and login is not allowed. Should we document it, or is that acceptable behavior? Is it OK to just fail?

Another thing is checking CRL. The main issue here is that we don't have mechanism which would fetch CRL periodically from the source and therefore the CRL would has to be updated manually. Therefore I would go only with OCSP now.

Do you think that this make sense? Comments and suggestions are more than welcome.

Pavel^3 Vomacka

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to