Pavel Vomacka wrote:
> Hello,
> With the recent addition of certificate mapping and certificate login
> support into WebUI, we need to handle also revoking of certificates
> which are used for login. There is ticket which requests this
> functionality:
> We (me, David and Jan) are thinking about how to achieve this and the
> way we found is following: We mark the server cert in HTTP NSS DB as
> trusted peer ('P,,') to avoid chicken and egg problem when we will need
> to contact the OCSP responder when httpd is starting. And then set
> NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside
> of OCSP is that when OCSP responder is not reachable, then the
> certificate cannot be checked and login is not allowed. Should we
> document it, or is that acceptable behavior? Is it OK to just fail?
> Another thing is checking CRL. The main issue here is that we don't have
> mechanism which would fetch CRL periodically from the source and
> therefore the CRL would has to be updated manually. Therefore I would go
> only with OCSP now.

mod_revocator does exactly what you are looking for.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to