Client Certificate generation, CRL/OCSP
http://www.tigase.org/content/configuration-sasl-external talks about how to configure Tigase to allow clients to authenticate with certificates. I am looking to set this up but are having trouble with generating client certificates that work for this. Is there a how-to or walkthrough available to generate the proper CA and client certificates so that this works?
Also, two other questions:
How to I force Tigase to require client certificates for XMPP connections?
Will Tigase do CRL or OCSP checking on the client certificates presented?
Added by Dean E over 4 years ago
Good info, thanks.
I have made many certificates and have a test CA already. I tried using this guide http://code.google.com/p/prosody-modules/wiki/mod_client_certs, except signing with my CA rather than self-signing. That didn't work. I was looking for more info on how to set up the XmppAddr attribute of the certificate, as I think that's the part that isn't working.
Also, the Tigase documentation states "Client certificate must include user's Jabber ID as XmppAddr in subjectAltName:". Although the spec says that if there is no JID in the cert, it MAY (if Tigase was written to support it) authenticate using the CN in the certificate if a JID exists that matches the CN:
"c.If the certificate does not contain an XMPP address, then the server MAY attempt to determine if there is a registered account associated with the user, for example by performing an LDAP lookup based on the Common Name or other information presented by the client in the certificate; if such a JID mapping is successful and the mapped JID matches the authorization identity provided, then the server SHOULD allow authentication and authorization of that mapped JID."