On Thu, Mar 26, 2020 at 08:16:31AM -0000, Hristina Marosevic wrote: > > On Wed, Mar 25, 2020 at 10:49:55AM -0000, Hristina Marosevic wrote: > > > > Hi, > > > > glad to hear it is working now. Thanks for your patience. > > > > bye, > > Sumit > > > Hello, > > As I was planning, I tried to login with an expired certificate and the > authentication failed with error: > write(2, "(Wed Mar 25 16:28:59 2020) [[sssd[p11_child[10489]]]] > [do_verification] (0x0040): Certificate [(null)][CN=test_sssd,.....] not > valid [-8181][Peer's Certificate has expired.].\n", 194) = 194 > I also, in some way tested authentication using certificate signed by > untrusted authorities i.e. when the root and intermediate CA certificates > were not imported correctly I got the error: " Certificate not valid. > .....Peer's Certificate is not recognized" > This seems to be working properly. > > The last scenario which I would like to test is CRL status, but if possiible > using offline CRL list instead of OCSP responder. > I guess certificate_verification=no_ocsp stays in the sssd section of the > sssd configuration, but what else should I do to make sssd chek the > revocation status of a user certificate using an offline CRL list, stored > somewhere on the machine? > This is like that because our lab environment is not connected to internet, > and I can not use the OCSP URL given in the user's certificate. Is this > workaround possible?
Hi, please use crlutil to import a CRL into the NSS database, see man crlutil for details. HTH bye, Sumit > > BR, > Hristina > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
