Skip to Content.
Sympa Menu

cacert-sysadm - Re: Revocation checking on hosts that accept client certificates

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: Revocation checking on hosts that accept client certificates


Chronological Thread 
  • From: Michael Tänzer <michael.taenzer AT cacert.org>
  • To: cacert-sysadm AT lists.cacert.org, cats-admin AT cacert.org, blog-admin AT cacert.org, community-admin AT cacert.org, lists-admin AT cacert.org, Mario Lipinski <mario AT cacert.org>
  • Subject: Re: Revocation checking on hosts that accept client certificates
  • Date: Fri, 18 Oct 2013 04:43:37 +0200
  • Openpgp: id=9940BEF1

Hi,

I have updated the script mentioned in the wiki page to only download
the CRL if there's a newer version available to save traffic. Please
update the scripts on your servers.

https://wiki.cacert.org/ApacheServerClientCertificateAuthentication?action=AttachFile&do=get&target=update-crls.sh

On 21.05.2012 17:12, Michael Tänzer wrote:
> Michael Ionescu recently made me aware of a serious issue with our
> client cert enabled services. On almost all services we do not have
> revocation checking enabled which is kind of like a password users are
> not allowed to change even if they know it got into the wrong hands.
>
> I have extended the documentation on our Wiki to cover how to enable
> revocation checking with Apache versions < 2.3:
> https://wiki.cacert.org/ApacheServerClientCertificateAuthentication#Revoked_Certificate_Checking
>
> Please adjust the configuration of your servers accordingly. If there is
> some problem because your host can't connect to https://crl.cacert.org/
> there's probably a restriction in the firewall. In that case contact
> Mario, I'm sure he can help you out there.


--
Cheers,
Michael Tänzer

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.18.

Top of Page