The "ipa-advise config-client-for-smart-card-auth" script enables OCSP checks in httpd, the RHEL docs say to disable it if the client certificates don't have an OCSP responder URL (third-party CA). [1]
Apache httpd has an undocumented flag "no_ocsp_for_cert_ok" which will pass certificates without OCSP URLs as valid but still perform OCSP server checks for certificates that do have an OCSP URL. [2][3]
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=62112 [3] https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.57/modules/ssl/ssl_engine...
Jernej Jakob via FreeIPA-users wrote:
The "ipa-advise config-client-for-smart-card-auth" script enables OCSP checks in httpd, the RHEL docs say to disable it if the client certificates don't have an OCSP responder URL (third-party CA). [1]
Apache httpd has an undocumented flag "no_ocsp_for_cert_ok" which will pass certificates without OCSP URLs as valid but still perform OCSP server checks for certificates that do have an OCSP URL. [2][3]
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm... [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=62112 [3] https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.57/modules/ssl/ssl_engine...
Thanks for the suggestion. I filed this RFE as https://pagure.io/freeipa/issue/9412 upstream.
rob
freeipa-users@lists.fedorahosted.org