[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking client certificates against CRLs

To: openldap-technical@openldap.org, David Arroyo <droyo@aqwari.net>
Subject: Re: Checking client certificates against CRLs
From: "Michael StrÃder" <michael@stroeder.com>
Date: Wed, 09 Apr 2014 16:02:45 +0200
In-reply-to: <68C970A5-824D-4F44-A77C-5A992EAED268@aqwari.net>
References: <68C970A5-824D-4F44-A77C-5A992EAED268@aqwari.net>

On Wed, 9 Apr 2014 09:38:29 -0400 David Arroyo <droyo@aqwari.net> wrote
> This question may be better asked in the NSS mailing list. Feel
> free to let me know if that is the case.
> 
> I'm building a service based around OpenLDAP and SASL EXTERNAL
> authentication using client certificates. One of requirements is
> that we have the ability to revoke client certificates. I've
> found that the only way to revoke a client certificate using an
> NSS-linked OpenLDAP (RHEL's default 2.4.23) is to:
> 
>     - Revoke the certificate
>     - Import the CRL into the db referenced by 
>       olcTLSCACertificatePath
>     - restart slapd
> 
> Is there a way to update the CRL without restarting slapd?  And
> is there any way to make slapd request the URL referenced in the
> client cert's nsCaRevocationUrl attribute? If the answer to this
> is "use OpenSSL", that's a fine answer.

I'm also interested in CRL checking without having to reload a server
configuration. I'm using a custom OpenLDAP build linked against OpenSSL though.

Ciao, Michael.

Follow-Ups:
- Re: Checking client certificates against CRLs
  - From: Mike Jackson <mj@netauth.com>

References:
- Checking client certificates against CRLs
  - From: David Arroyo <droyo@aqwari.net>

Prev by Date: Checking client certificates against CRLs
Next by Date: syncrepl question
Index(es):
- Chronological
- Thread