domi wrote:
Issac wrote:domi wrote:I'm not a FireFox expert, but it stands to reason that if you manually trust the cert at this point, it'll continue to be "trusted" even if it's revoked later. What you really want to do is browse to your root cert, import that (which will grant implicit trust to "testcert") and then try importing the CRL and see if you get any notices.All the steps in OpenSSL and Apache work as far as I can say. Now follow some steps to access my site. step 1: start the Apache with /etc/init.d/apache2 startssl The certificate in the Apache ssl-global.conf is NOT revoked. step 2: start Firefox 2.0.1 and call the site https://192.168.0.2 Of course you must trust the certificate.IssacHey Issac, both thumbs up for you. After reading your post I built a new CA, created a new certificate, revoked it and create the CRl. Then I imported the certificate of the CA and afterwards the CRL. After a new start of Apache and Firefox I made my first try to access the new site with the new (revoked) certificate and in deed Firefox told me that the certificate was revoked. =) That is great and perhaps I’ll jump around enjoying myself for a few minutes. But that leads me to another problem. Back to my old scenario: Why does the trust remain forever although the certificate was revoked? I would expect that it is possible to trust a certificate and to alter my opinion when it gets revoked … Am I wrong? Have you got or anybody else out there an answer to this question?
Domi,I'm happy it helped. You can change your opinion any time you like; just access Firefox's certificate store and you can view the certificates you've chosen to trust, and the revocation lists. If you don't want to continue trusting a cert, based on what you see in the CRL, or for any other reason, take it out of the trusted certificates list.
By "trusting" the cert in the browser in the first place, you're essentially telling the browser to ignore normal rules and depend on you (as the human user) to determine the certificate's validity and authenticity. As the browser has no way of knowing why you know the certificate is safe in the first place, it makes no assumptions for you as to when to stop trusting it.
Issac --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|