Re: Certificates Revocation Lists and Apache...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 4 Nov 2009, John Doe wrote:

> already asked in the openssl mailing list, but just in case you already went through this...
> I need a little help with Certificate Revocation Lists.
> I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now).
> I have a "CA" that is signing a "CA SSL".
> Then, the "CA SSL" is signing the clients certificates.
>
> Now, I am testing Certificate Revocation Lists, but apache keeps 
> saying: "Invalid signature on CRL"
>
> I used:
>  $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem
>  [....]
>  $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365

So far so good.

> When I try to connect with a revoked (or unrevoked) certificate, I get:
>  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
>  [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov  4 14:39:36 2009 GMT, nextUpdate: Nov  4 14:39:36 2010 GMT
>  [warn] Invalid signature on CRL
>  [error] Certificate Verification: Error (8): CRL signature failure

Does your "CA SSL" certificate have its CRL signing bit set?

   openssl x509 -noout -purpose -in yourcert.pem | grep CRL

Also, there's an Apache bug that fouls things up if the "CA" and "CA 
SSL" root certificates both have the same CN:

   https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

> How can I check if the crl.pem file is ok?
>  $ openssl crl -in cassl/crl.pem -text
>  [...]

This is the best way, and it looks as if things are OK.

> I also tried all sorts of verify combos, but all fail:
>  $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem

The 'verify' option is only good for certifcates, not CRLs. It's also 
worth noting that the 'verify' option doesn't do any CRL checking. 
Grep for 'CRL' in the DIAGNOSTICS section of the verify(1) man page 
and you'll see a lot of 'unused' notes.

-- 
Paul Heinlein <> heinlein@xxxxxxxxxx <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux