From: Paul Heinlein heinlein@madboa.com
When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2,
subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
[debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD,
CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT
[warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure
Does your "CA SSL" certificate have its CRL signing bit set? openssl x509 -noout -purpose -in yourcert.pem | grep CRL
$ openssl x509 -noout -purpose -in cassl/cassl.pem | grep CRL CRL signing : Yes CRL signing CA : Yes
Also:
$ openssl crl -in cassl/crl.pem -CAfile cassl/cassl.pem verify OK -----BEGIN X509 CRL----- MII... ... ...VQ= -----END X509 CRL-----
Also, there's an Apache bug that fouls things up if the "CA" and "CA SSL" root certificates both have the same CN: https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
Hum.. that might be the case... They must all use 'myhost.mydomain' as CN... Do you know how to specify different CNs in a common openssl.conf file? Here's my openssl.conf:
[ ca ] default_ca = CA_default
[ CA_default ] dir = /etc/certs certs = $dir/ca/certs new_certs_dir = $dir/ca/newcerts database = $dir/ca/index certificate = $dir/ca/ca.pem serial = $dir/ca/serial private_key = $dir/ca/private/ca.key default_days = 3652 default_md = sha1 preserve = no policy = policy_match
[ CA_ssl_default ] dir = /root/Certifs certs = $dir/cassl/certs new_certs_dir = $dir/cassl/newcerts new_certs_dir = $dir/cassl/newcerts database = $dir/cassl/index certificate = $dir/cassl/cassl.pem serial = $dir/cassl/serial private_key = $dir/cassl/private/cassl.key default_days = 3652 default_md = sha1 preserve = no policy = policy_match
[ policy_match ] countryName = match stateOrProvinceName = match localityName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
[ req ] distinguished_name = req_distinguished_name
[ req_distinguished_name ] countryName = Country countryName_default = AA stateOrProvinceName = State stateOrProvinceName_default = BB localityName = Locality localityName_default = CC organizationName = Organization organizationName_default = DD commonName = CN commonName_default = myhost.mydomain commonName_max = 64 emailAddress = Email Address emailAddress_max = 40
[CA_ROOT] nsComment = "CA Root" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:TRUE,pathlen:1 keyUsage = keyCertSign, cRLSign
[CA_SSL] nsComment = "CA SSL" basicConstraints = critical,CA:TRUE,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy keyUsage = keyCertSign, cRLSign nsCertType = sslCA
[SERVER_RSA_SSL] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy subjectAltName = DNS:myhost.mydomain basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment nsCertType = server extendedKeyUsage = serverAuth
[CLIENT_RSA_SSL] nsComment = "Certificat Client SSL" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy subjectAltName = critical,email:copy,email:info@mydomain basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation nsCertType = client extendedKeyUsage = clientAuth
Thx, JD