On Tue, Mar 17, 2020 at 02:17:06PM -0000, Hristina Marosevic wrote:
> On Tue, Mar 17, 2020 at 11:17:34AM -0000, Hristina Marosevic
> I'm sorry, I haven't read one of your earlier emails carefully enough,
> please do not use "certificate_verification = no_ocsp, no_verification"
> but only
> certificate_verification = no_verification
> 'no_ocsp' implies verification but without OCSP so using both options is
> an inconsistency.
about 'certificate_verification = no_verification', there is an issue
which was fixed by
but the fix is not in the build you are using. So better continue with
'certificate_verification = no_ocsp'.
Besides this, I thought of another scenario which may help me validate the certificate. I
can add certificate_verification=no_ocsp instead of
certificate_verification=no_verification in [sssd] section of sssd.conf file, and store
the trust on the server - in that case, where should I store the trust and is it enought
just to provide the root CA certificate, or it is needed to store the intermediate CAs
certificates? Also, in which format?
Please add all CA certificates to the NSS database /etc/pki/nssdb with
the help of the certutil command:
certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d
each CA certificate should get an individual nickname. If your
CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END
CERTIFICATE lines) you might need to add a '-a' option as well.
If there are still issues please send the strace output.
If this won't work, I really have no idea of any other options for testing the PKI
based authentication, so if you have any other ideas, I will appreciate if you share it.
Thank you for your help!
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines