Can I disable user certificate? Can I generate new one?
jdennis at redhat.com
Fri Nov 18 17:50:04 CET 2011
On 11/18/2011 10:28 AM, Alan DeKok wrote:
> asdf zxcv wrote:
>> What if - for some reason - I want to disallow certain user from having
>> access? He already has the files he needs installed on his machine. I
>> can set Expiration attribute, but is there any other way?
> For EAP-TLS, use a CRL. See the OpenSSL documentation.
>> What if I need to generate a new certificate for the same user? Let's
>> say someone gained access to his computer and stole the certificate and
>> the key? Can I generate a new certificate for the same user and disable
>> the old one he had?
> Use CRLs. This is more an OpenSSL question. FreeRADIUS uses
> certificates, but it doesn't manage them. You want certificate
> management. So... it's not really a FreeRADIUS question.
If you want certificate management you can use our certificate server
suite, in Fedora it's called "dogtag" and is packaged under the name
pki-ca (ca being the certificate authority). Other related packages give
you a full complement of pki management, for instance there is a
registration authority, key escrow, etc. The whole software suite is
nearly identical to what the DoD uses.
All of this is managed through a easy to use web interface.
The CA of course publishes CRL's as well as providing OCSP (Online
Certificate Status Protocol)
Red Hat has generously given this to the community under public license,
it's freely available in Fedora.
For what it's worth we've also developed an identity management suite
called IPA (Identity, Policy, Audit) which uses the dogtag CA as it's
backend certificate manager. Currently IPA does not have support for
client certs nor Radius, but those features are coming and if you want
to help contribute to move the process forward we would welcome your
contributions. Today you can just install pki-ca and get your own CA as
well as an extensive easy to use tool set to manage your certs.
# Mailing lists
#dogtag-pki on freenode
# Install the CA package
% yum install pki-ca
# Create a CA instance
# Follow the instructions at the end of pkicreate
# you will be given a one-time pin to log onto the
# the administrators web console where you'll be taken
# through a "wizard" style configuration setup. The CA
# won't be available until you do this step.
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
More information about the Freeradius-Users