certificate revocation check for PKINIT in KDC
Jim Shi
hanmao_shi at apple.com
Thu Aug 10 11:16:50 EDT 2017
Greg:
I thought ocsp was supported. Good to know it is not.
Thorsten:
Thanks for the info.
Jim
> On Aug 10, 2017, at 3:53 AM, tseegerkrb <tseegerkrb at gmail.com> wrote:
>
> On 10.08.2017 06:55, Greg Hudson wrote:
>> On 08/08/2017 02:11 PM, Jim Shi wrote:
>>> Is there any document how to configure certificate revocation check for PKINIT in KDC?
>> I believe the only documentation we have for this is in the man page for
>> kdc.conf, which says:
>>
>> pkinit_revoke
>> Specifies the location of Certificate Revocation List (CRL)
>> information to be used by the KDC when verifying the validity of
>> client certificates. This option may be specified multiple times.
>>
>> The CRL file(s) have to be maintained out of band (we do not have OCSP
>> support; you might see documentation for a pkinit_kdc_ocsp variable but
>> it isn't implemented). If I read the code correctly, CRL files are only
>> read on KDC startup, so the KDC must be restarted to update revoked
>> certs. CRL files are expected to be in PEM format.
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> Hello,
> if you set this up, a little warning at least on debian and ubuntu the
> option "pkinit_require_crl_checking = true" does not work as expected.
> If it set to true you get the message the certificate status is unknown (or something similar).
> So if you can not authenticate with the certs try setting 'pkinit_require_crl_checking' false.
> This will deny revoked certificates too.
>
> ...
> pkinit_revoke = FILE:/etc/krb5kdc/TNTNET_LOCAL_PKINIT_CA.crl
> #pkinit_revoke = /etc/krb5kdc/
> # If pkinit_require_crl_checking is set to 'true'
> # login always fails
> pkinit_require_crl_checking = false
> }
>
> For testing and playing around i made a bash script to install a multimaster kerberos server with openldap backend.
> The script setup pkinit too. If you wanna take a look you can find it here: https://wp.tntnet.eu/?p=112
>
> Regards
> Thorsten
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3329 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20170810/5489adcb/attachment.bin
More information about the Kerberos
mailing list