Re: Problem with revoked certificates.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Issac wrote:


> domi wrote:
>> All the steps in OpenSSL and Apache work as far as I can say. Now follow
>> some steps to access my site.
>> step 1: start the Apache with /etc/init.d/apache2 startssl
>> The certificate in the Apache ssl-global.conf is NOT revoked.
>>
>> step 2: start Firefox 2.0.1 and call the site https://192.168.0.2
>> Of course you must trust the certificate.
>>   
> I'm not a FireFox expert, but it stands to reason that if you manually 
> trust the cert at this point, it'll continue to be "trusted" even if 
> it's revoked later. 
> 
> What you really want to do is browse to your root cert, import that 
> (which will grant implicit trust to "testcert") and then try importing 
> the CRL and see if you get any notices.
> 
>   Issac
> 
> 

Hey Issac,

both thumbs up for you. After reading your post I built a new CA, created a
new certificate, revoked it and create the CRl. Then I imported the
certificate of the CA and afterwards the CRL.

After a new start of Apache and Firefox I made my first try to access the
new site with the new (revoked) certificate and in deed Firefox told me that
the certificate was revoked. =) That is great and perhaps I’ll jump around
enjoying myself for a few minutes.

But that leads me to another problem. Back to my old scenario: Why does the
trust remain forever although the certificate was revoked? I would expect
that it is possible to trust a certificate and to alter my opinion when it
gets revoked …

Am I wrong? Have you got or anybody else out there an answer to this
question?

best regards domi

-- 
View this message in context: http://www.nabble.com/Problem-with-revoked-certificates.-tf3169656.html#a8793352
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux