Frank Crow wrote:
Is it possible to configure OpenLDAP to trust all certs for validity but then also check a CRL to see if the certificate may have been revoked (to reject it)?
Sounds crazy to me and I highly doubt it but I'm asking because somebody handing us requirements is convinced that it is possible to not have connectivity to a CA, and validate a user cert for login using only a CRL.
Does that make any sense at all?
Checking a serial number black-list, the certification revocation list (CRL), was the standard revocation mechanism of X.509. And yes, it works off-line which is a big plus compared to OCSP.
Haven't tried myself yet, but in theory you could copy the current CRL file(s) into the directory where also the trusted root CA certs reside. Recent versions of the OpenSSL lib have CRL checking functionality under the hood.
Of course this assumes that your OpenLDAP build is linked to OpenSSL for TLS functionality. YMMV with other crypto libs (GnuTLS or libnss).
Ciao, Michael.