Can I disable user certificate? Can I generate new one?

John Dennis jdennis at redhat.com
Fri Nov 18 17:50:04 CET 2011


On 11/18/2011 10:28 AM, Alan DeKok wrote:
> asdf zxcv wrote:
>> What if - for some reason - I want to disallow certain user from having
>> access? He already has the files he needs installed on his machine. I
>> can set Expiration attribute, but is there any other way?
>
>    For EAP-TLS, use a CRL.  See the OpenSSL documentation.
>
>> 2)
>> What if I need to generate a new certificate for the same user? Let's
>> say someone gained access to his computer and stole the certificate and
>> the key? Can I generate a new certificate for the same user and disable
>> the old one he had?
>
>    Use CRLs.  This is more an OpenSSL question.  FreeRADIUS uses
> certificates, but it doesn't manage them.  You want certificate
> management.  So... it's not really a FreeRADIUS question.

If you want certificate management you can use our certificate server 
suite, in Fedora it's called "dogtag" and is packaged under the name 
pki-ca (ca being the certificate authority). Other related packages give 
you a full complement of pki management, for instance there is a 
registration authority, key escrow, etc. The whole software suite is 
nearly identical to what the DoD uses.

All of this is managed through a easy to use web interface.

The CA of course publishes CRL's as well as providing OCSP (Online 
Certificate Status Protocol)

Red Hat has generously given this to the community under public license, 
it's freely available in Fedora.

For what it's worth we've also developed an identity management suite 
called IPA (Identity, Policy, Audit) which uses the dogtag CA as it's 
backend certificate manager. Currently IPA does not have support for 
client certs nor Radius, but those features are coming and if you want 
to help contribute to move the process forward we would welcome your 
contributions. Today you can just install pki-ca and get your own CA as 
well as an extensive easy to use tool set to manage your certs.

More info:

# Wiki

http://pki.fedoraproject.org/wiki/PKI_Documentation

# Mailing lists

https://www.redhat.com/mailman/listinfo/pki-users
https://www.redhat.com/mailman/listinfo/pki-devel

# IRC

#dogtag-pki on freenode

Quick Start:

# Install the CA package
% yum install pki-ca

# Create a CA instance
% pkicreate

# Follow the instructions at the end of pkicreate
# you will be given a one-time pin to log onto the
# the administrators web console where you'll be taken
# through a "wizard" style configuration setup. The CA
# won't be available until you do this step.

HTH,

John

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



More information about the Freeradius-Users mailing list