certificate revocation check for PKINIT in KDC

Jim Shi hanmao_shi at apple.com
Thu Aug 10 11:16:50 EDT 2017


Greg:
I thought ocsp was supported.  Good to know it is not.

Thorsten:

Thanks for the info.


Jim





> On Aug 10, 2017, at 3:53 AM, tseegerkrb <tseegerkrb at gmail.com> wrote:
> 
> On 10.08.2017 06:55, Greg Hudson wrote:
>> On 08/08/2017 02:11 PM, Jim Shi wrote:
>>> Is there any document how to configure certificate revocation check for PKINIT in KDC?
>> I believe the only documentation we have for this is in the man page for
>> kdc.conf, which says:
>> 
>> pkinit_revoke
>>  Specifies the location of Certificate Revocation List (CRL)
>>  information to be used by the KDC when verifying the validity of
>>  client certificates. This option may be specified multiple times.
>> 
>> The CRL file(s) have to be maintained out of band (we do not have OCSP
>> support; you might see documentation for a pkinit_kdc_ocsp variable but
>> it isn't implemented).  If I read the code correctly, CRL files are only
>> read on KDC startup, so the KDC must be restarted to update revoked
>> certs.  CRL files are expected to be in PEM format.
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> Hello,
> if you set this up, a little warning at least on debian and ubuntu the
> option "pkinit_require_crl_checking = true" does not work as expected. 
> If it set to true you get the message the certificate status is unknown (or something similar).
> So if you can not authenticate with the certs try setting 'pkinit_require_crl_checking' false.
> This will deny revoked certificates too.
> 
> ...
>  pkinit_revoke = FILE:/etc/krb5kdc/TNTNET_LOCAL_PKINIT_CA.crl
>  #pkinit_revoke = /etc/krb5kdc/
>  # If pkinit_require_crl_checking is set to 'true'
>  # login always fails
>  pkinit_require_crl_checking = false
> }
> 
> For testing and playing around i made a bash script to install a multimaster kerberos server with openldap backend.
> The script setup pkinit too. If you wanna take a look you can find it here: https://wp.tntnet.eu/?p=112
> 
> Regards
> Thorsten
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3329 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20170810/5489adcb/attachment.bin


More information about the Kerberos mailing list