On Wed, Mar 25, 2020 at 10:49:55AM -0000, Hristina Marosevic wrote:
Hi,
glad to hear it is working now. Thanks for your patience.
bye, Sumit
Hello,
As I was planning, I tried to login with an expired certificate and the authentication failed with error: write(2, "(Wed Mar 25 16:28:59 2020) [[sssd[p11_child[10489]]]] [do_verification] (0x0040): Certificate [(null)][CN=test_sssd,.....] not valid [-8181][Peer's Certificate has expired.].\n", 194) = 194 I also, in some way tested authentication using certificate signed by untrusted authorities i.e. when the root and intermediate CA certificates were not imported correctly I got the error: " Certificate not valid. .....Peer's Certificate is not recognized" This seems to be working properly.
The last scenario which I would like to test is CRL status, but if possiible using offline CRL list instead of OCSP responder. I guess certificate_verification=no_ocsp stays in the sssd section of the sssd configuration, but what else should I do to make sssd chek the revocation status of a user certificate using an offline CRL list, stored somewhere on the machine? This is like that because our lab environment is not connected to internet, and I can not use the OCSP URL given in the user's certificate. Is this workaround possible?
BR, Hristina