The "ipa-advise config-client-for-smart-card-auth" script enables OCSP checks in httpd, the RHEL docs say to disable it if the client certificates don't have an OCSP responder URL (third-party CA). [1]
Apache httpd has an undocumented flag "no_ocsp_for_cert_ok" which will pass certificates without OCSP URLs as valid but still perform OCSP server checks for certificates that do have an OCSP URL. [2][3] [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-idm-for-smart-card-auth_managing-smart-card-authentication#conf-idm-server-for-smart-card-auth_configuring-idm-for-smart-card-auth [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=62112 [3] https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.57/modules/ssl/ssl_engine_ocsp.c?view=markup#l142
pgpJSMhhQ5pMm.pgp
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
