[cas-dev] X509 Authentication + revoked certificates
Romain BOURGUE
romain.bourgue at agriculture.gouv.fr
Wed May 21 10:45:34 EDT 2008
With cas-server-support-x509, a certificate is indeed treated as valid :
1- if it matches a trusted issuer dn (subjectDnPattern)...
2- ...within a specified range of intermediate CAs (maxPathLength),
3- if it's not expired (and already valid),
4- if its key usage validate a optionally specified one.
but it doesn't check any CertificateRevocationList (CRL) (yet?).
If you want this check, the easiest way is to rely on mod_ssl installed on a
apache frontal webserver. The SSLCARevocationPath directive allows you specify a
list of CRLs the certificate will be checked against.
You can also develop your own authentication handler....
Romain
Pavlos Drandakis a écrit :
> Hello all,
>
> From what I understand, a certificate is treated as valid if current
> time (when checking) is between certificate's creation and expiration
> time. So if a revoked certificate has not expired yet, is considered
> valid and access is granted, when using X509 authentication. Is there
> any way to prevent users from logging into CAS when presenting revoked
> certificates?
>
> Thanks,
>
> Pavlos
>
> (Server Configuration: CAS 3.2.1, Tomcat 6.0.14 with APR support)
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
More information about the cas-dev
mailing list