Hello,
I successfuly added the CRL list into nssdb. CRL list is in DER format. So, I tested the last scenario, which was vaidation of the revoked user certificate used for authenticatiion using offline CRL list instead of using OCSP. So, just giving info about this: In the [sssd] section of the sssd.conf file, option certificate_validation has value "no_ocsp" and in the log file recorded using strace, this lines were generated: write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [do_verification] (0x0040): Certificate [(null)][CN=test_sssd_revoked.....] not valid [-8102][Certificate key usage inadequate for attempted operation.].\n", 228) = 228 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [do_work] (0x0400): Certificate is NOT valid.\n", 100) = 100 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [main] (0x0040): do_work failed.\n", 87) = 87 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0 write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761]]]] [main] (0x0020): p11_child failed!\n", 89) = 89 close(1) = 0 exit_group(1) = ? +++ exited with 1 +++
So, the authentication did not pass, which was excpected. Please confirm that this is the answer that the p11_child should give in case of revoked user certificate. If it is like that, by this step I can confirm that SSSD PKI authentication works properly i.e successfuly verifies trust/time validity/revocation status of the user certificate.
BR, Hristina