[Mod_nss-list] Problem configuring Client certificate Authentication
Luis Neves
luisneves at hotmail.com
Mon Sep 13 14:32:41 UTC 2010
Thanks Rob, OCSP and mod_revocator is working now fine in my tests!
Great to see the mod_nss code base is more bug free and with more features than current mod_ssl implementation
Luis
> Date: Tue, 7 Sep 2010 15:20:31 -0400
> From: rcritten at redhat.com
> To: luisneves at hotmail.com
> CC: ttormo at indenova.com; mod_nss-list at redhat.com
> Subject: Re: [Mod_nss-list] Problem configuring Client certificate Authentication
>
> Luis Neves wrote:
> > Thanks!
> >
> > Im testing in Fedora 11. Great to know the variable work, maybe Ive used
> > them in the wrong place. I will test it again only in about 2 weeks as
> > Im going to holidays :)
> >
> > Just another tricky question, how do you will check that your users
> > certificates didnt got revogated? (became invalid) You will be using
> > certificates issued by an external Certification Authority (CA)?
>
> There are two ways: OCSP or a CRL. Or three ways I suppose, you can use
> both.
>
> OCSP is an online lookup of the certificate validity. If the client has
> an OCSP provider encoded in it then that can be used and you can define
> a default OCSP provider in the mod_nss configuration (1.0.6+ IIRC).
>
> A CRL must be loaded into the mod_nss certificate database (default is
> in /etc/httpd/alias). Apache needs to be restarted for the CRL to be
> seen. The NSS utility crlutil can be used to update a CRL.
>
> If you have both enabled and loaded then NSS will first look in the CRL
> to see if the certificate is revoked. If not it checks OCSP. This saves
> a round-trip.
>
> An alternative to loading a CRL and restarting Apache is to use another
> module, mod_revocator. In this you can define a list of URLs where CRLs
> can be found and they are automatically fetched and made available to
> NSS without requiring a restart.
>
> rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20100913/69e55377/attachment.htm>
More information about the Mod_nss-list
mailing list