[CentOS] Certificates Revocation Lists and Apache...
heinlein at madboa.com
Wed Nov 4 17:51:44 UTC 2009
On Wed, 4 Nov 2009, John Doe wrote:
> already asked in the openssl mailing list, but just in case you already went through this...
> I need a little help with Certificate Revocation Lists.
> I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now).
> I have a "CA" that is signing a "CA SSL".
> Then, the "CA SSL" is signing the clients certificates.
> Now, I am testing Certificate Revocation Lists, but apache keeps
> saying: "Invalid signature on CRL"
> I used:
> $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem
> $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365
So far so good.
> When I try to connect with a revoked (or unrevoked) certificate, I get:
> [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
> [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT
> [warn] Invalid signature on CRL
> [error] Certificate Verification: Error (8): CRL signature failure
Does your "CA SSL" certificate have its CRL signing bit set?
openssl x509 -noout -purpose -in yourcert.pem | grep CRL
Also, there's an Apache bug that fouls things up if the "CA" and "CA
SSL" root certificates both have the same CN:
> How can I check if the crl.pem file is ok?
> $ openssl crl -in cassl/crl.pem -text
This is the best way, and it looks as if things are OK.
> I also tried all sorts of verify combos, but all fail:
> $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem
The 'verify' option is only good for certifcates, not CRLs. It's also
worth noting that the 'verify' option doesn't do any CRL checking.
Grep for 'CRL' in the DIAGNOSTICS section of the verify(1) man page
and you'll see a lot of 'unused' notes.
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
More information about the CentOS