By the way, revoking the certificate does not block applications using it from ldap.
I can still access the ldap server using this cert/key pair *after* revoking the certificate using ipa cert-revoke <serialnr>. In order to block it I need to remove the seeAlso value of the user account, or the certificate attribute. I do not know if this is a security issue, but maybe worthwhile documenting just in case.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project