[38053] in Kerberos
Re: certificate revocation check for PKINIT in KDC
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Aug 10 00:55:27 2017
To: Jim Shi <hjshi@yahoo.com>, "kerberos@mit.edu" <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <6a723b91-bd58-e63a-ff41-f005ff6cae8b@mit.edu>
Date: Thu, 10 Aug 2017 00:55:03 -0400
MIME-Version: 1.0
In-Reply-To: <422767414.2059541.1502215873163@mail.yahoo.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 08/08/2017 02:11 PM, Jim Shi wrote:
> Is there any document how to configure certificate revocation check for PKINIT in KDC?
I believe the only documentation we have for this is in the man page for
kdc.conf, which says:
pkinit_revoke
Specifies the location of Certificate Revocation List (CRL)
information to be used by the KDC when verifying the validity of
client certificates. This option may be specified multiple times.
The CRL file(s) have to be maintained out of band (we do not have OCSP
support; you might see documentation for a pkinit_kdc_ocsp variable but
it isn't implemented). If I read the code correctly, CRL files are only
read on KDC startup, so the KDC must be restarted to update revoked
certs. CRL files are expected to be in PEM format.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
