certificate revocation check for PKINIT in KDC

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

certificate revocation check for PKINIT in KDC

Jim Shi-2
Hi, 
Is there any document how to configure certificate revocation check for PKINIT in KDC?
Thanks
Jim
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: certificate revocation check for PKINIT in KDC

Greg Hudson
On 08/08/2017 02:11 PM, Jim Shi wrote:
> Is there any document how to configure certificate revocation check for PKINIT in KDC?

I believe the only documentation we have for this is in the man page for
kdc.conf, which says:

pkinit_revoke
  Specifies the location of Certificate Revocation List (CRL)
  information to be used by the KDC when verifying the validity of
  client certificates. This option may be specified multiple times.

The CRL file(s) have to be maintained out of band (we do not have OCSP
support; you might see documentation for a pkinit_kdc_ocsp variable but
it isn't implemented).  If I read the code correctly, CRL files are only
read on KDC startup, so the KDC must be restarted to update revoked
certs.  CRL files are expected to be in PEM format.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: certificate revocation check for PKINIT in KDC

t Seeger
On 10.08.2017 06:55, Greg Hudson wrote:

> On 08/08/2017 02:11 PM, Jim Shi wrote:
>> Is there any document how to configure certificate revocation check for PKINIT in KDC?
> I believe the only documentation we have for this is in the man page for
> kdc.conf, which says:
>
> pkinit_revoke
>   Specifies the location of Certificate Revocation List (CRL)
>   information to be used by the KDC when verifying the validity of
>   client certificates. This option may be specified multiple times.
>
> The CRL file(s) have to be maintained out of band (we do not have OCSP
> support; you might see documentation for a pkinit_kdc_ocsp variable but
> it isn't implemented).  If I read the code correctly, CRL files are only
> read on KDC startup, so the KDC must be restarted to update revoked
> certs.  CRL files are expected to be in PEM format.
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

Hello,
if you set this up, a little warning at least on debian and ubuntu the
option "pkinit_require_crl_checking = true" does not work as expected.
If it set to true you get the message the certificate status is unknown (or something similar).
So if you can not authenticate with the certs try setting 'pkinit_require_crl_checking' false.
This will deny revoked certificates too.

...
  pkinit_revoke = FILE:/etc/krb5kdc/TNTNET_LOCAL_PKINIT_CA.crl
  #pkinit_revoke = /etc/krb5kdc/
  # If pkinit_require_crl_checking is set to 'true'
  # login always fails
  pkinit_require_crl_checking = false
}

For testing and playing around i made a bash script to install a multimaster kerberos server with openldap backend.
The script setup pkinit too. If you wanna take a look you can find it here: https://wp.tntnet.eu/?p=112

Regards
Thorsten

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: certificate revocation check for PKINIT in KDC

Jim Shi

Greg:
I thought ocsp was supported.  Good to know it is not.

Thorsten:

Thanks for the info.


Jim





> On Aug 10, 2017, at 3:53 AM, tseegerkrb <[hidden email]> wrote:
>
> On 10.08.2017 06:55, Greg Hudson wrote:
>> On 08/08/2017 02:11 PM, Jim Shi wrote:
>>> Is there any document how to configure certificate revocation check for PKINIT in KDC?
>> I believe the only documentation we have for this is in the man page for
>> kdc.conf, which says:
>>
>> pkinit_revoke
>>  Specifies the location of Certificate Revocation List (CRL)
>>  information to be used by the KDC when verifying the validity of
>>  client certificates. This option may be specified multiple times.
>>
>> The CRL file(s) have to be maintained out of band (we do not have OCSP
>> support; you might see documentation for a pkinit_kdc_ocsp variable but
>> it isn't implemented).  If I read the code correctly, CRL files are only
>> read on KDC startup, so the KDC must be restarted to update revoked
>> certs.  CRL files are expected to be in PEM format.
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> Hello,
> if you set this up, a little warning at least on debian and ubuntu the
> option "pkinit_require_crl_checking = true" does not work as expected.
> If it set to true you get the message the certificate status is unknown (or something similar).
> So if you can not authenticate with the certs try setting 'pkinit_require_crl_checking' false.
> This will deny revoked certificates too.
>
> ...
>  pkinit_revoke = FILE:/etc/krb5kdc/TNTNET_LOCAL_PKINIT_CA.crl
>  #pkinit_revoke = /etc/krb5kdc/
>  # If pkinit_require_crl_checking is set to 'true'
>  # login always fails
>  pkinit_require_crl_checking = false
> }
>
> For testing and playing around i made a bash script to install a multimaster kerberos server with openldap backend.
> The script setup pkinit too. If you wanna take a look you can find it here: https://wp.tntnet.eu/?p=112
>
> Regards
> Thorsten
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: certificate revocation check for PKINIT in KDC

Robbie Harwood
Jim Shi <[hidden email]> writes:

> Greg:
> I thought ocsp was supported.  Good to know it is not.

We will be clarifying this with the 1.16 release [1].

Thanks,
--Robbie

1: https://github.com/krb5/krb5/pull/683/

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (847 bytes) Download Attachment
Loading...