On 04/11/2017 03:24 PM, Rob Crittenden wrote:
Pavel Vomacka wrote:
Hello,

With the recent addition of certificate mapping and certificate login
support into WebUI, we need to handle also revoking of certificates
which are used for login. There is ticket which requests this
functionality: https://pagure.io/freeipa/issue/6370

We (me, David and Jan) are thinking about how to achieve this and the
way we found is following: We mark the server cert in HTTP NSS DB as
trusted peer ('P,,') to avoid chicken and egg problem when we will need
to contact the OCSP responder when httpd is starting. And then set
NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside
of OCSP is that when OCSP responder is not reachable, then the
certificate cannot be checked and login is not allowed. Should we
document it, or is that acceptable behavior? Is it OK to just fail?

Another thing is checking CRL. The main issue here is that we don't have
mechanism which would fetch CRL periodically from the source and
therefore the CRL would has to be updated manually. Therefore I would go
only with OCSP now.
mod_revocator does exactly what you are looking for.

rob
Thank you for mentioning mod_revocator.
Is there any other documentation then this one: https://pagure.io/mod_revocator ?
I found several more pages but they were not available.

--
Pavel^3 Vomacka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to