[CentOS] Certificates Revocation Lists and Apache...

Thu Nov 5 13:31:45 UTC 2009
John Doe <jdmls at yahoo.com>

From: Paul Heinlein <heinlein at madboa.com>
> > When I try to connect with a revoked (or unrevoked) certificate, I get:
> >  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2,
> subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer:
> /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
> >  [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD,
> CN=myhost.mydomain, lastUpdate: Nov  4 14:39:36 2009 GMT, nextUpdate: Nov  4
> 14:39:36 2010 GMT
> >  [warn] Invalid signature on CRL
> >  [error] Certificate Verification: Error (8): CRL signature failure
> Does your "CA SSL" certificate have its CRL signing bit set?
>   openssl x509 -noout -purpose -in yourcert.pem | grep CRL

$ openssl x509 -noout -purpose -in cassl/cassl.pem | grep CRL
CRL signing : Yes
CRL signing CA : Yes

Also:

$ openssl crl -in cassl/crl.pem -CAfile cassl/cassl.pem
verify OK
-----BEGIN X509 CRL-----
MII...
...
...VQ=
-----END X509 CRL-----

> Also, there's an Apache bug that fouls things up if the "CA" and "CA
> SSL" root certificates both have the same CN:
>   https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

Hum.. that might be the case...
They must all use 'myhost.mydomain' as CN...
Do you know how to specify different CNs in a common openssl.conf file?
Here's my openssl.conf:

[ ca ]
default_ca      = CA_default

[ CA_default ]
dir             = /etc/certs
certs           = $dir/ca/certs
new_certs_dir   = $dir/ca/newcerts
database        = $dir/ca/index
certificate     = $dir/ca/ca.pem
serial          = $dir/ca/serial
private_key     = $dir/ca/private/ca.key
default_days    = 3652
default_md      = sha1
preserve        = no
policy          = policy_match

[ CA_ssl_default ]
dir             = /root/Certifs
certs           = $dir/cassl/certs
new_certs_dir   = $dir/cassl/newcerts
new_certs_dir   = $dir/cassl/newcerts
database        = $dir/cassl/index
certificate     = $dir/cassl/cassl.pem
serial          = $dir/cassl/serial
private_key     = $dir/cassl/private/cassl.key
default_days    = 3652
default_md      = sha1
preserve        = no
policy          = policy_match

[ policy_match ]
countryName             = match
stateOrProvinceName     = match
localityName            = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
distinguished_name      = req_distinguished_name

[ req_distinguished_name ]
countryName                     = Country
countryName_default             = AA
stateOrProvinceName             = State
stateOrProvinceName_default     = BB
localityName                    = Locality
localityName_default            = CC
organizationName                = Organization
organizationName_default        = DD
commonName                      = CN
commonName_default              = myhost.mydomain
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 40

[CA_ROOT]
nsComment                       = "CA Root"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
basicConstraints                = critical,CA:TRUE,pathlen:1
keyUsage                        = keyCertSign, cRLSign

[CA_SSL]
nsComment                       = "CA SSL"
basicConstraints                = critical,CA:TRUE,pathlen:0
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
issuerAltName                   = issuer:copy
keyUsage                        = keyCertSign, cRLSign
nsCertType                      = sslCA

[SERVER_RSA_SSL]
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
issuerAltName                   = issuer:copy
subjectAltName                  = DNS:myhost.mydomain
basicConstraints                = critical,CA:FALSE
keyUsage                        = digitalSignature, nonRepudiation, keyEncipherment
nsCertType                      = server
extendedKeyUsage                = serverAuth

[CLIENT_RSA_SSL]
nsComment                       = "Certificat Client SSL"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always
issuerAltName                   = issuer:copy
subjectAltName                  = critical,email:copy,email:info at mydomain
basicConstraints                = critical,CA:FALSE
keyUsage                        = digitalSignature, nonRepudiation
nsCertType                      = client
extendedKeyUsage                = clientAuth

Thx,
JD