Hello,

i use AAF for SmartCard Authentication.

My user datastore is eDirectory. There i use internal eDirectory CA and user certificates.

I was able to put my eDirectory user certificates on my smartcard. In the pki method i uploaded my eDirectory CA public key.

I created a authentication chain with smartcard and ldap password.

When the user tries to enroll the smartcard method on the AAF enrollment website, the AAF enrollment website recognizes the smartcard reader with smartcard and shows all the certificates with are stored on the smartcard.

The issuer of the smartcard user certificates is known, because it is uploaded in the pki method.

The problem i have now is, that AAF wants to check if the choosen user certificate is still valid. Which is okay and reasonable. But AAF cannot perform this task and ends up with an error, that it cannot check validity of the certificate.

From the AAF documentation it looks like, AAF checks validity of certificates via OCSP, because the issued certificates should have an AIA record.
My eDirectory CA only has a CRL to check if a certificat is valid or revoked. This CRL path is inside the certificates extensions. (both HTTP Path and LDAP Path).

Am i right that AAF uses OCSP and not CRL to check validity of certificates?

Does somebody uses AAF + SmartCard + eDirectory CA and knows a workaround ?


Regards,