[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking client certificates against CRLs



On Wed, 9 Apr 2014 09:38:29 -0400 David Arroyo <droyo@aqwari.net> wrote
> This question may be better asked in the NSS mailing list. Feel
> free to let me know if that is the case.
> 
> I'm building a service based around OpenLDAP and SASL EXTERNAL
> authentication using client certificates. One of requirements is
> that we have the ability to revoke client certificates. I've
> found that the only way to revoke a client certificate using an
> NSS-linked OpenLDAP (RHEL's default 2.4.23) is to:
> 
>     - Revoke the certificate
>     - Import the CRL into the db referenced by 
>       olcTLSCACertificatePath
>     - restart slapd
> 
> Is there a way to update the CRL without restarting slapd?  And
> is there any way to make slapd request the URL referenced in the
> client cert's nsCaRevocationUrl attribute? If the answer to this
> is "use OpenSSL", that's a fine answer.

I'm also interested in CRL checking without having to reload a server
configuration. I'm using a custom OpenLDAP build linked against OpenSSL though.

Ciao, Michael.