Pavel Vomacka wrote: > > > On 04/11/2017 03:24 PM, Rob Crittenden wrote: >> Pavel Vomacka wrote: >>> Hello, >>> >>> With the recent addition of certificate mapping and certificate login >>> support into WebUI, we need to handle also revoking of certificates >>> which are used for login. There is ticket which requests this >>> functionality: https://pagure.io/freeipa/issue/6370 >>> >>> We (me, David and Jan) are thinking about how to achieve this and the >>> way we found is following: We mark the server cert in HTTP NSS DB as >>> trusted peer ('P,,') to avoid chicken and egg problem when we will need >>> to contact the OCSP responder when httpd is starting. And then set >>> NSSOCSP On directive in /etc/httpd/conf.d/nss.conf . The known downside >>> of OCSP is that when OCSP responder is not reachable, then the >>> certificate cannot be checked and login is not allowed. Should we >>> document it, or is that acceptable behavior? Is it OK to just fail? >>> >>> Another thing is checking CRL. The main issue here is that we don't have >>> mechanism which would fetch CRL periodically from the source and >>> therefore the CRL would has to be updated manually. Therefore I would go >>> only with OCSP now. >> mod_revocator does exactly what you are looking for. >> >> rob > Thank you for mentioning mod_revocator. > Is there any other documentation then this one: > https://pagure.io/mod_revocator ? > I found several more pages but they were not available. >
No, that's pretty much it. Let me know if you have any questions. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code