oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: Clarify documentation for ‘pkinit_revoke’ parameter

Browse Source 
If multiple valid CRLs are specified for a particular issuer, only the
first will be checked. The documentation didn’t really hint at this.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This commit is contained in:
Joseph Sutton
2023-07-05 15:50:32 +12:00
committed by Jeffrey Altman
parent 13dbc0a667
commit 1baceedb87
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/krb5/krb5.conf.5
View File

@@ -185,6 +185,7 @@ anchors for PKINIT KDC certificates.
.It Li pkinit_revoke = Va HX509-STORE ...
This is a multi-valued parameter naming one or more stores of
CRLs for the issuers of PKINIT KDC certificates.
Only the first valid CRL for a particular issuer will be checked.
If no CRLs are configured, then CRLs will not be checked.
This is because hx509 currently lacks support.
.El
@@ -905,6 +906,7 @@ type stores are OpenSSL-style CA certificate hash directories.
.It Li pkinit_revoke = Va HX509-STORE ...
This is a multi-valued parameter naming one or more stores of
CRLs for the issuers of PKINIT client certificates.
Only the first valid CRL for a particular issuer will be checked.
If no CRLs are configured, then CRLs will not be checked.
This is because the KDC will not dereference CRL distribution
points nor request OCSP responses.