Frank Crow wrote:
Is it possible to configure OpenLDAP to trust all certs for validity
but then also
check a CRL to see if the certificate may have been revoked (to reject it)?
Sounds crazy to me and I highly doubt it but I'm asking because somebody handing us
requirements is convinced that it is possible to not have connectivity to a CA, and
validate a user cert for login using only a CRL.
Does that make any sense at all?
Checking a serial number black-list, the certification revocation list (CRL), was the
standard revocation mechanism of X.509. And yes, it works off-line which is a big plus
compared to OCSP.
Haven't tried myself yet, but in theory you could copy the current CRL file(s) into
directory where also the trusted root CA certs reside. Recent versions of the OpenSSL lib
have CRL checking functionality under the hood.
Of course this assumes that your OpenLDAP build is linked to OpenSSL for TLS
functionality. YMMV with other crypto libs (GnuTLS or libnss).