#3542 Enable certificate validation using OCSP or CRLs
Closed: wontfix 5 years ago Opened 10 years ago by rcritten.

The IPA services currently are not configured to do either OCSP or CRL validation.

If we are using our own CA then we know in advance that an OCSP responder will be available. We should be able to configure mod_nss and/or 389-ds-base to validate certificates using OCSP. I know that mod_nss supports this, less sure about 389-ds-base, an RFE may be required.

If we are not using our own CA then the provided certificates will need to be examined. I think that OCSP should be used in favor of CRLs when possible. If the provided certificate includes an OCSP responder we should configure that. Otherwise we should download the CRL at install time and install it into the 389-ds-base and mod_nss NSS databases.

There is an Apache module, mod_revocator, that can keep a CRL up-to-date by periodically downloading it. At the heart of this is a PKCS#11 module that does the majority of the work. It may be possible to leverage this for use within 389-ds-base as well but this usage is untested by upstream.


Metadata Update from @rcritten:
- Issue assigned to someone
- Issue set to the milestone: Ticket Backlog

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata