Pavel Vomacka wrote: > Hello, > > With the recent addition of certificate mapping and certificate login > support into WebUI, we need to handle also revoking of certificates > which are used for login. There is ticket which requests this > functionality: https://pagure.io/freeipa/issue/6370 > > We (me, David and Jan) are thinking about how to achieve this and the > way we found is following: We mark the server cert in HTTP NSS DB as > trusted peer ('P,,') to avoid chicken and egg problem when we will need > to contact the OCSP responder when httpd is starting. And then set > NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside > of OCSP is that when OCSP responder is not reachable, then the > certificate cannot be checked and login is not allowed. Should we > document it, or is that acceptable behavior? Is it OK to just fail? > > Another thing is checking CRL. The main issue here is that we don't have > mechanism which would fetch CRL periodically from the source and > therefore the CRL would has to be updated manually. Therefore I would go > only with OCSP now.
mod_revocator does exactly what you are looking for. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code