[CentOS] Certificates Revocation Lists and Apache...
John Doe
jdmls at yahoo.com
Thu Nov 5 13:31:45 UTC 2009
From: Paul Heinlein <heinlein at madboa.com>
> > When I try to connect with a revoked (or unrevoked) certificate, I get:
> > [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2,
> subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer:
> /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
> > [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD,
> CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4
> 14:39:36 2010 GMT
> > [warn] Invalid signature on CRL
> > [error] Certificate Verification: Error (8): CRL signature failure
> Does your "CA SSL" certificate have its CRL signing bit set?
> openssl x509 -noout -purpose -in yourcert.pem | grep CRL
$ openssl x509 -noout -purpose -in cassl/cassl.pem | grep CRL
CRL signing : Yes
CRL signing CA : Yes
Also:
$ openssl crl -in cassl/crl.pem -CAfile cassl/cassl.pem
verify OK
-----BEGIN X509 CRL-----
MII...
...
...VQ=
-----END X509 CRL-----
> Also, there's an Apache bug that fouls things up if the "CA" and "CA
> SSL" root certificates both have the same CN:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
Hum.. that might be the case...
They must all use 'myhost.mydomain' as CN...
Do you know how to specify different CNs in a common openssl.conf file?
Here's my openssl.conf:
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = /etc/certs
certs = $dir/ca/certs
new_certs_dir = $dir/ca/newcerts
database = $dir/ca/index
certificate = $dir/ca/ca.pem
serial = $dir/ca/serial
private_key = $dir/ca/private/ca.key
default_days = 3652
default_md = sha1
preserve = no
policy = policy_match
[ CA_ssl_default ]
dir = /root/Certifs
certs = $dir/cassl/certs
new_certs_dir = $dir/cassl/newcerts
new_certs_dir = $dir/cassl/newcerts
database = $dir/cassl/index
certificate = $dir/cassl/cassl.pem
serial = $dir/cassl/serial
private_key = $dir/cassl/private/cassl.key
default_days = 3652
default_md = sha1
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
localityName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country
countryName_default = AA
stateOrProvinceName = State
stateOrProvinceName_default = BB
localityName = Locality
localityName_default = CC
organizationName = Organization
organizationName_default = DD
commonName = CN
commonName_default = myhost.mydomain
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[CA_ROOT]
nsComment = "CA Root"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = keyCertSign, cRLSign
[CA_SSL]
nsComment = "CA SSL"
basicConstraints = critical,CA:TRUE,pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
keyUsage = keyCertSign, cRLSign
nsCertType = sslCA
[SERVER_RSA_SSL]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
subjectAltName = DNS:myhost.mydomain
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
nsCertType = server
extendedKeyUsage = serverAuth
[CLIENT_RSA_SSL]
nsComment = "Certificat Client SSL"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
subjectAltName = critical,email:copy,email:info at mydomain
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation
nsCertType = client
extendedKeyUsage = clientAuth
Thx,
JD
More information about the CentOS
mailing list