Client-Certificate blocking without conrolling the issuing CA

[Michael Wojcik]

> From: Vincent Truchsess - rockenstein AG <vt at rockenstein.de>
> Sent: Friday, 4 December, 2020 08:59
>
> That would be the the ideal solution. The problem is that the customer's
> security-policy demands dedicated hardware performing IDS/IPS functionality
> at the point of TLS-termination. The devices at hand do not provide the
> functionality to call a user-defined external service for certificate
> validation apart from OCSP.
>
> The future workaround will be a mockup OCSP-responder but that solution will
> need some time for implementation. our current focus lies on a rather quick
> than perfect solution that buys some time to ship something more solid.

Ah, I see. Thanks for the clarification.

I don't offhand see a quick workaround for your situation. I'm not sure what would happen if you cross-signed all the client certificates with a CA under your control, and then generated a CRL for the ones you want to exclude. Or actually you could just cross-sign only the ones you want to allow, and made your CA the only trust root for the TLS termination systems; that would work. But I'm guessing modifying every client certificate is not a feasible solution for you either.

If it is, cross-signing with a CA under your control and trusting only that CA is probably the approach I'd go for. That's a legitimate approach under PKIX. It could even be mostly automated, except the end users would have to install updated user certificates, which is probably a deal-breaker.

--
Michael Wojcik