Author: rcritten
Update of /cvs/dirsec/mod_revocator/docs In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19588/docs
Modified Files: mod_revocator.html Log Message: Add bit about OpenLDAP support Include some troubleshooting documentation and a little bit more on configuration
Index: mod_revocator.html =================================================================== RCS file: /cvs/dirsec/mod_revocator/docs/mod_revocator.html,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- mod_revocator.html 5 Sep 2006 19:58:26 -0000 1.1 +++ mod_revocator.html 16 Oct 2006 18:17:14 -0000 1.2 @@ -54,7 +54,8 @@ 3.9.3 or higher<br> </li> <li>Mozilla <a href="http://www.mozilla.org/directory/csdk.html">LDAP -SDK</a> 5.15 or higher</li> +SDK</a> 5.15 or higher or OpenLDAP 2.2.29 or higher<br> + </li> <li>Apache development package(s)</li> <li><a href="http://directory.fedora.redhat.com/wiki/Mod_nss">mod_nss</a><br> </li> @@ -114,6 +115,13 @@ <td>--with-ldapsdk-lib=PATH</td> <td>Mozilla LDAP SDK library directory</td> </tr> + <tr> + <td style="vertical-align: top;">--enable-openldap<br> + </td> + <td style="vertical-align: top;">Use OpenLDAP instead of +the Mozilla LDAP SDK<br> + </td> + </tr> </tbody> </table> <br> @@ -250,8 +258,41 @@ <code>CRLFile http://somehost.example.com/MasterCRL.crl;60;60 </code><br> <code>CRLAgeCheck off </code><br> <code>CRLUpdateCritical off +<br> +</code></div> +<h1>Operation<br> +</h1> +In order for the CRL to be loaded you need to trust the issuer. This is +often issued by a separate certificate on the CA, so you may need to +trust multiple certificates. If the CRL is signed by an unknown issuer +or is not trusted you will get the error message:<br> +<br> +<code>Error updating CRL http://ca.example.com/MasterCRL.crl no subject +: Unknown issuer for this CRL<br> </code><br> -</div> +In order to load this CRL you will need to import and trust the CA +and/or OCSP signing certificate. Save the certificate(s) into text +files and use the NSS certutil command to import it. Note that your +nickname (-n) and database path (-d) may differ:<br> +<br> +<code>% certutil -A -n "CA" -d /etc/httpd/alias -t CT,, -a -i +/path/to/ca.crt<br> +</code><br> +<code>% certutil -A -n "OCSP cert" -d /etc/httpd/alias -t CT,, -a -i +/path/to/ocsp.crt</code><br> +<br> +The default Apache LogLevel is warn. This will log basic information +about the module and will report the first successful retrieval +of each CRL. Subsequent retrievals are only logged in the LogLevel is +set to debug.<br> +<br> +An example log is:<br> +<br> +<code>Successfully downloaded CRL at URL +http://ca.example.com/MasterCRL.crl, subject = CN=Certificate +Manager,OU=Engineering,O=Example,C=US, lastupdate = Thu Oct 12 15:39:19 +2006, nextupdate = Thu Oct 12 19:39:19 2006<br> +Revocation subsystem initialized</code><br> <h1><a name="Developer_Information"></a>Developer Information </h1> This module uses some internals from NSS. This is normally a big no-no but there was no other way to get around it. As such a private copy of