On Thu, Mar 26, 2020 at 08:16:31AM -0000, Hristina Marosevic wrote:
> On Wed, Mar 25, 2020 at 10:49:55AM -0000, Hristina Marosevic
wrote:
>
> Hi,
>
> glad to hear it is working now. Thanks for your patience.
>
> bye,
> Sumit
Hello,
As I was planning, I tried to login with an expired certificate and the authentication
failed with error:
write(2, "(Wed Mar 25 16:28:59 2020) [[sssd[p11_child[10489]]]] [do_verification]
(0x0040): Certificate [(null)][CN=test_sssd,.....] not valid [-8181][Peer's
Certificate has expired.].\n", 194) = 194
I also, in some way tested authentication using certificate signed by untrusted
authorities i.e. when the root and intermediate CA certificates were not imported
correctly I got the error: " Certificate not valid. .....Peer's Certificate is
not recognized"
This seems to be working properly.
The last scenario which I would like to test is CRL status, but if possiible using
offline CRL list instead of OCSP responder.
I guess certificate_verification=no_ocsp stays in the sssd section of the sssd
configuration, but what else should I do to make sssd chek the revocation status of a user
certificate using an offline CRL list, stored somewhere on the machine?
This is like that because our lab environment is not connected to internet, and I can not
use the OCSP URL given in the user's certificate. Is this workaround possible?
Hi,
please use crlutil to import a CRL into the NSS database, see man
crlutil for details.
HTH
bye,
Sumit
BR,
Hristina
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...