[CentOS] Certificates Revocation Lists and Apache...

Paul Heinlein heinlein at madboa.com
Wed Nov 4 17:51:44 UTC 2009 

On Wed, 4 Nov 2009, John Doe wrote:

> already asked in the openssl mailing list, but just in case you already went through this...
> I need a little help with Certificate Revocation Lists.
> I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now).
> I have a "CA" that is signing a "CA SSL".
> Then, the "CA SSL" is signing the clients certificates.
>
> Now, I am testing Certificate Revocation Lists, but apache keeps 
> saying: "Invalid signature on CRL"
>
> I used:
>  $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem
>  [....]
>  $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365

So far so good.

> When I try to connect with a revoked (or unrevoked) certificate, I get:
>  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
>  [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov  4 14:39:36 2009 GMT, nextUpdate: Nov  4 14:39:36 2010 GMT
>  [warn] Invalid signature on CRL
>  [error] Certificate Verification: Error (8): CRL signature failure

Does your "CA SSL" certificate have its CRL signing bit set?

   openssl x509 -noout -purpose -in yourcert.pem | grep CRL

Also, there's an Apache bug that fouls things up if the "CA" and "CA 
SSL" root certificates both have the same CN:

   https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

> How can I check if the crl.pem file is ok?
>  $ openssl crl -in cassl/crl.pem -text
>  [...]

This is the best way, and it looks as if things are OK.

> I also tried all sorts of verify combos, but all fail:
>  $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem

The 'verify' option is only good for certifcates, not CRLs. It's also 
worth noting that the 'verify' option doesn't do any CRL checking. 
Grep for 'CRL' in the DIAGNOSTICS section of the verify(1) man page 
and you'll see a lot of 'unused' notes.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/

More information about the CentOS mailing list