On ti, 15 loka 2019, Kevin Vasko via FreeIPA-users wrote:
Well that’s the thing, I didn’t realize the service certificate was
revoked as I thought the entire point of validating the client cert was
to validate the entire “chain” with OCSP.
Im using IPAs internal cert system.
Yeah, I kept reissueing tickets when I was trying to get the post
command script to work. I guess in the process I deleted one to many
certs and didn’t realize it.
So if I would have ran the command on the services cert I should have
seen it’s revoked?
Is there a command to do exactly what FF is doing for OCSP to validate
the cert? Or should I just manually check each cert, client and
service?
Regarding 'exactly what FF is doing for OCSP to validate', this is
hard.
Might be it is using the same functionality that is exposed by nss tools
in the /usr/lib64/nss/unsupported-tools/vfyserv (in nss-tools package in
Fedora/CentOS/RHEL)? Because NSS library handles it for Firefox.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland