revoking access when using certificate based authentication
we are using certificate based authentication as described in /opt/zimbra/certauth.txt (literally word for word configuration as per the doc, apart from company/domain name changes) (also described here http://wiki.zimbra.com/wiki/Gautam-N...9_certificates)
We create the CA certs, add it to zimbra's keystore, create the user cert, sign the user cert with the CA cert.. then export the .crt to a .p12 cert so it can be imported into browsers..
The question is, how can i invalidate/revoke access to someone using a certificate?
ive tried doing the following
[root@zimbra certs]# /opt/zimbra/openssl/bin/openssl ca -cert Zimbra-CA.crt -keyfile Zimbra-CA.key -revoke username.crt
Using configuration from /opt/zimbra/openssl-1.0.0e/ssl/openssl.cnf
Revoking Certificate 35.
Data Base Updated
So, it "says" the crt is revoked... but i can still log in via my p12 certificate.
Ive even tried extracting the .pem out of the p12, and revoking that (however it says its already revoked from the previous command)
Does any one have any ideas?
EDIT: After some reading.. it talks about generating and publishing CRL's.. but, if the client isnt checking a CRL, how can we force invalidation of their certificate?