Pavel Vomacka wrote:
> On 04/11/2017 03:24 PM, Rob Crittenden wrote:
>> Pavel Vomacka wrote:
>>> Hello,
>>> With the recent addition of certificate mapping and certificate login
>>> support into WebUI, we need to handle also revoking of certificates
>>> which are used for login. There is ticket which requests this
>>> functionality:
>>> We (me, David and Jan) are thinking about how to achieve this and the
>>> way we found is following: We mark the server cert in HTTP NSS DB as
>>> trusted peer ('P,,') to avoid chicken and egg problem when we will need
>>> to contact the OCSP responder when httpd is starting. And then set
>>> NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside
>>> of OCSP is that when OCSP responder is not reachable, then the
>>> certificate cannot be checked and login is not allowed. Should we
>>> document it, or is that acceptable behavior? Is it OK to just fail?
>>> Another thing is checking CRL. The main issue here is that we don't have
>>> mechanism which would fetch CRL periodically from the source and
>>> therefore the CRL would has to be updated manually. Therefore I would go
>>> only with OCSP now.
>> mod_revocator does exactly what you are looking for.
>> rob
> Thank you for mentioning mod_revocator.
> Is there any other documentation then this one:
> ?
> I found several more pages but they were not available.

No, that's pretty much it. Let me know if you have any questions.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to