8:37 a.m.
Hello Fabian/Others,
We were trying to handle the client certificate expiry using the SIGHUP
mechanism that invokes *tlsreloadcrls*(). Just realized that the designated
role for this function is to only reload CAs and CRLs and not client
certificates. What was the intention behind this ?
I would assume that since the CA certificates are used to sign the client
certificates, A re-read / re-cache of just the CA certificates does not
make sense as the client certificates were signed by an earlier version of
the CA certificate and we are still working with the cached copies.
Thanks
Imtiyaz
10:06 a.m.
Hi Imtiyaz,
On 14.12.20, 08:38, "Imtiyaz Mohammad" <imtiyaz(a)arista.com> wrote:
Hello Fabian/Others,
We were trying to handle the client certificate expiry using the SIGHUP mechanism that
invokes tlsreloadcrls(). Just realized that the designated role for this function is to
only reload
CAs and CRLs and not client certificates. What was the intention behind this ?
I think the intention really was just to reload the CRLs, as that’s what changes
frequently (and fetching new CRLs must be done externally, as mentioned in the manpage).
Best regards,
Fabian
--
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
Phone +41 44 268 15 30, direct +41 44 268 15 39
6:15 p.m.
Thanks for the response Fabian.
On Fri, Dec 18, 2020 at 2:36 PM Fabian Mauchle <fabian.mauchle(a)switch.ch>
wrote:
Hi Imtiyaz,
On 14.12.20, 08:38, "Imtiyaz Mohammad" <imtiyaz(a)arista.com> wrote:
Hello Fabian/Others,
We were trying to handle the client certificate expiry using the
SIGHUP mechanism that invokes tlsreloadcrls(). Just realized that the
designated role for this function is to only reload
CAs and CRLs and not client certificates. What was the intention
behind this ?
I think the intention really was just to reload the CRLs, as that’s what
changes frequently (and fetching new CRLs must be done externally, as
mentioned in the manpage).
Best regards,
Fabian
--
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
Phone +41 44 268 15 30, direct +41 44 268 15 39
_______________________________________________
radsecproxy mailing list -- radsecproxy(a)lists.nordu.net
To unsubscribe send an email to radsecproxy-leave(a)lists.nordu.net
1489
days inactive
1493
days old
2 comments
2 participants
participants (2)
-
Fabian Mauchle -
Imtiyaz Mohammad