[Mod_nss-list] Problem configuring Client certificate Authentication

Luis Neves luisneves at hotmail.com
Mon Sep 13 14:32:41 UTC 2010


Thanks Rob, OCSP and mod_revocator is working now fine in my tests! 
Great to see the mod_nss code base is more bug free and with more features than current mod_ssl implementation

Luis

> Date: Tue, 7 Sep 2010 15:20:31 -0400
> From: rcritten at redhat.com
> To: luisneves at hotmail.com
> CC: ttormo at indenova.com; mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
> 
> Luis Neves wrote:
> > Thanks!
> >
> > Im testing in Fedora 11. Great to know the variable work, maybe Ive used
> > them in the wrong place. I will test it again only in about 2 weeks as
> > Im going to holidays :)
> >
> > Just another tricky question, how do you will check that your users
> > certificates didnt got revogated? (became invalid) You will be using
> > certificates issued by an external Certification Authority (CA)?
> 
> There are two ways: OCSP or a CRL. Or three ways I suppose, you can use 
> both.
> 
> OCSP is an online lookup of the certificate validity. If the client has 
> an OCSP provider encoded in it then that can be used and you can define 
> a default OCSP provider in the mod_nss configuration (1.0.6+ IIRC).
> 
> A CRL must be loaded into the mod_nss certificate database (default is 
> in /etc/httpd/alias). Apache needs to be restarted for the CRL to be 
> seen. The NSS utility crlutil can be used to update a CRL.
> 
> If you have both enabled and loaded then NSS will first look in the CRL 
> to see if the certificate is revoked. If not it checks OCSP. This saves 
> a round-trip.
> 
> An alternative to loading a CRL and restarting Apache is to use another 
> module, mod_revocator. In this you can define a list of URLs where CRLs 
> can be found and they are automatically fetched and made available to 
> NSS without requiring a restart.
> 
> rob
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100913/69e55377/attachment.htm>


More information about the Mod_nss-list mailing list