I thought ocsp was supported.  Good to know it is not.


Thanks for the info.


> On Aug 10, 2017, at 3:53 AM, tseegerkrb <> wrote:
> On 10.08.2017 06:55, Greg Hudson wrote:
>> On 08/08/2017 02:11 PM, Jim Shi wrote:
>>> Is there any document how to configure certificate revocation check for 
>>> PKINIT in KDC?
>> I believe the only documentation we have for this is in the man page for
>> kdc.conf, which says:
>> pkinit_revoke
>>  Specifies the location of Certificate Revocation List (CRL)
>>  information to be used by the KDC when verifying the validity of
>>  client certificates. This option may be specified multiple times.
>> The CRL file(s) have to be maintained out of band (we do not have OCSP
>> support; you might see documentation for a pkinit_kdc_ocsp variable but
>> it isn't implemented).  If I read the code correctly, CRL files are only
>> read on KDC startup, so the KDC must be restarted to update revoked
>> certs.  CRL files are expected to be in PEM format.
>> ________________________________________________
>> Kerberos mailing list 
> Hello,
> if you set this up, a little warning at least on debian and ubuntu the
> option "pkinit_require_crl_checking = true" does not work as expected. 
> If it set to true you get the message the certificate status is unknown (or 
> something similar).
> So if you can not authenticate with the certs try setting 
> 'pkinit_require_crl_checking' false.
> This will deny revoked certificates too.
> ...
>  pkinit_revoke = FILE:/etc/krb5kdc/TNTNET_LOCAL_PKINIT_CA.crl
>  #pkinit_revoke = /etc/krb5kdc/
>  # If pkinit_require_crl_checking is set to 'true'
>  # login always fails
>  pkinit_require_crl_checking = false
> }
> For testing and playing around i made a bash script to install a multimaster 
> kerberos server with openldap backend.
> The script setup pkinit too. If you wanna take a look you can find it here: 
> Regards
> Thorsten
> ________________________________________________
> Kerberos mailing list 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Kerberos mailing list 

Reply via email to