Certificate verification process for external CAs within IdM (DOD CAC/CA-44)

Posted on

We are implementing IdM on RHEL7.4 clients.
We have users within IdM, and associated certs from DOD G&D FIPS201 SCE3.2 with certs signed by DOD ID CA-44 imported and associated to users.
We are working on getting authentication implemented however a usage question in the design has come up that I am unable to find a solid answer on:

(1) Does the OCSP responder need to be in the certificates on the smart-card, and if so, how can one determine if they are on the certificates, is there an openssl command to run to extract that information?

(2) If the OCSP responder needs to be in the certificates on the smart-card being used for authentication, then can we download the CRL locally cached to check?

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.