[Date Prev][Date Next] [Chronological] [Thread] [Top]

Checking client certificates against CRLs

To: openldap-technical@openldap.org
Subject: Checking client certificates against CRLs
From: David Arroyo <droyo@aqwari.net>
Date: Wed, 9 Apr 2014 09:38:29 -0400

This question may be better asked in the NSS mailing list. Feel
free to let me know if that is the case.

I'm building a service based around OpenLDAP and SASL EXTERNAL
authentication using client certificates. One of requirements is
that we have the ability to revoke client certificates. I've
found that the only way to revoke a client certificate using an
NSS-linked OpenLDAP (RHEL's default 2.4.23) is to:

	- Revoke the certificate
	- Import the CRL into the db referenced by 
	  olcTLSCACertificatePath
	- restart slapd

Is there a way to update the CRL without restarting slapd?  And
is there any way to make slapd request the URL referenced in the
client cert's nsCaRevocationUrl attribute? If the answer to this
is "use OpenSSL", that's a fine answer.

Regards,
David

Follow-Ups:
- Re: Checking client certificates against CRLs
  - From: "Michael StrÃder" <michael@stroeder.com>

Prev by Date: Re: çå: çå: ååï mirror mode question
Next by Date: Re: Checking client certificates against CRLs
Index(es):
- Chronological
- Thread