The puppetmaster doing catalog compilation, puppetmaster-client in your case, does verify that the client cert is not in the CRL. However, you have to help it out a bit. For one, you need the puppetmaster-client to get the most recent CRL from the puppetmaster (the CA server) on a regular basis, often you can do this by running puppetmaster-client in agent mode against puppetmaster, but you could also have a cron job to sync the files. For two, in some cases you need to restart apache in order to re-read the CRL.
Hope this helps. Spencer On Sun, Mar 30, 2014 at 2:32 PM, Chris <[email protected]> wrote: > On 31/03/14 08:13, Spencer Krum wrote: > >> When you have a separate server providing the CA service, it is only >> contacted when a client first connects. After the client's cert is >> signed, the CA server does nothing. Does that make sense? >> > > Yes and no. > > Yes - I'm not missing something :) > No - I can't control client access with certificates. I thought it would > check the certificate was still valid. > > Anyway, thanks for the info - much appreciated. > > > Chris. > -- > Postgresql & php tutorials > http://www.designmagick.com/ > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/puppet-users/53388D51.6010701%40gmail.com. > > For more options, visit https://groups.google.com/d/optout. > -- Spencer Krum (619)-980-7820 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADt6FWMCv%2BBGDjr7xJVE8%3DMi-X68CMQjd1WdGv6w%2B-WPL1BLQg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
