Fraser Tweedale via FreeIPA-users wrote:
On Mon, Oct 01, 2018 at 06:05:42PM -0400, veer Schlansky via
FreeIPA-users wrote:
> My company's PIV/AD credintial is user(a)example.com. We set up our IPA
> credintial as user(a)linux.example.com
>
>
example.com and
linux.example.com are completedly seperated domain/realms,
> no trust or interaction whatsoever.
>
> I took the user and CA certs on the PIV card and put them into ipa. I was
> able to authenticate to ipa webui with my PIV card.
>
>
> My question is does ipa do online certificate status protocol check for the
> user(a)example.com cert? Any way to verify that?
>
> Thanks.
>
For HTTP smart card authentication, the script output by `ipa-advise
config-server-for-smart-card-auth` enables OCSP checking. If you
didn't use that script, then set `SSLOCSPEnable on` in
/etc/httpd/conf.d/ssl.conf.
Or use ipa-advise to generate the script to see what needs to be enabled
for your version of IPA (it varies). For versions pre 4.7 the option you
want is NSSOCSP but there are other things to set as well.
rob
For smart card login via SSSD, OCSP checking is performed by default
(and can be suppressed via the `certificate_verification` setting;
see sssd.conf(5)).