krb5: Clarify documentation for ‘pkinit_revoke’ parameter
If multiple valid CRLs are specified for a particular issuer, only the first will be checked. The documentation didn’t really hint at this. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit is contained in:
Joseph Sutton
committed by
Jeffrey Altman
Jeffrey Altman
parent
13dbc0a667
commit
1baceedb87
@@ -185,6 +185,7 @@ anchors for PKINIT KDC certificates.
|
|||||||
.It Li pkinit_revoke = Va HX509-STORE ...
|
.It Li pkinit_revoke = Va HX509-STORE ...
|
||||||
This is a multi-valued parameter naming one or more stores of
|
This is a multi-valued parameter naming one or more stores of
|
||||||
CRLs for the issuers of PKINIT KDC certificates.
|
CRLs for the issuers of PKINIT KDC certificates.
|
||||||
|
Only the first valid CRL for a particular issuer will be checked.
|
||||||
If no CRLs are configured, then CRLs will not be checked.
|
If no CRLs are configured, then CRLs will not be checked.
|
||||||
This is because hx509 currently lacks support.
|
This is because hx509 currently lacks support.
|
||||||
.El
|
.El
|
||||||
@@ -905,6 +906,7 @@ type stores are OpenSSL-style CA certificate hash directories.
|
|||||||
.It Li pkinit_revoke = Va HX509-STORE ...
|
.It Li pkinit_revoke = Va HX509-STORE ...
|
||||||
This is a multi-valued parameter naming one or more stores of
|
This is a multi-valued parameter naming one or more stores of
|
||||||
CRLs for the issuers of PKINIT client certificates.
|
CRLs for the issuers of PKINIT client certificates.
|
||||||
|
Only the first valid CRL for a particular issuer will be checked.
|
||||||
If no CRLs are configured, then CRLs will not be checked.
|
If no CRLs are configured, then CRLs will not be checked.
|
||||||
This is because the KDC will not dereference CRL distribution
|
This is because the KDC will not dereference CRL distribution
|
||||||
points nor request OCSP responses.
|
points nor request OCSP responses.
|
||||||
|
|||||||
Reference in New Issue
Block a user