Hello Fabian/Others,
We were trying to handle the client certificate expiry using the SIGHUP mechanism that invokes *tlsreloadcrls*(). Just realized that the designated role for this function is to only reload CAs and CRLs and not client certificates. What was the intention behind this ?
I would assume that since the CA certificates are used to sign the client certificates, A re-read / re-cache of just the CA certificates does not make sense as the client certificates were signed by an earlier version of the CA certificate and we are still working with the cached copies.
Thanks Imtiyaz
Hi Imtiyaz,
On 14.12.20, 08:38, "Imtiyaz Mohammad" imtiyaz@arista.com wrote:
Hello Fabian/Others,
We were trying to handle the client certificate expiry using the SIGHUP mechanism that invokes tlsreloadcrls(). Just realized that the designated role for this function is to only reload CAs and CRLs and not client certificates. What was the intention behind this ?
I think the intention really was just to reload the CRLs, as that’s what changes frequently (and fetching new CRLs must be done externally, as mentioned in the manpage).
Best regards, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39
Thanks for the response Fabian.
On Fri, Dec 18, 2020 at 2:36 PM Fabian Mauchle fabian.mauchle@switch.ch wrote:
Hi Imtiyaz,
On 14.12.20, 08:38, "Imtiyaz Mohammad" imtiyaz@arista.com wrote:
Hello Fabian/Others, We were trying to handle the client certificate expiry using theSIGHUP mechanism that invokes tlsreloadcrls(). Just realized that the designated role for this function is to only reload CAs and CRLs and not client certificates. What was the intention behind this ?
I think the intention really was just to reload the CRLs, as that’s what changes frequently (and fetching new CRLs must be done externally, as mentioned in the manpage).
Best regards, Fabian
-- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland Phone +41 44 268 15 30, direct +41 44 268 15 39
radsecproxy mailing list -- radsecproxy@lists.nordu.net To unsubscribe send an email to radsecproxy-leave@lists.nordu.net
-
Fabian Mauchle -
Imtiyaz Mohammad