On 09 Apr 2014, at 17.02, Michael Ströder michael@stroeder.com wrote:
On Wed, 9 Apr 2014 09:38:29 -0400 David Arroyo droyo@aqwari.net wrote
This question may be better asked in the NSS mailing list. Feel free to let me know if that is the case.
I'm building a service based around OpenLDAP and SASL EXTERNAL authentication using client certificates. One of requirements is that we have the ability to revoke client certificates. I've found that the only way to revoke a client certificate using an NSS-linked OpenLDAP (RHEL's default 2.4.23) is to:
- Revoke the certificate
- Import the CRL into the db referenced by olcTLSCACertificatePath
- restart slapd
Is there a way to update the CRL without restarting slapd? And is there any way to make slapd request the URL referenced in the client cert's nsCaRevocationUrl attribute? If the answer to this is "use OpenSSL", that's a fine answer.
I'm also interested in CRL checking without having to reload a server configuration. I'm using a custom OpenLDAP build linked against OpenSSL though.
Ciao, Michael.
I think the answer is to link against OpenSSL because it supports CRL retrieval via HTTP and LDAP, and ultimately more convenient - OCSP. Certs which contain both CRL and OCSP information, a modern client should try OCSP first and then fall back to trying the CRL.
Setting up an OCSP responder is the “modern” way to go. Think about it: if your CRL grows large, your client (in this case slapd) needs to fetch and parse it. OCSP checks are lightweight and happen in real-time. Of course, you should always HUP your OCSP responder when publishing a new CRL.
NSS has a crazy arcane (even more arcane than OpenSSL) set of command line options for managing their certificate databases, and at the end of they day they are BDB - easily corrupted.
-mike