[CentOS] Certificates Revocation Lists and Apache...

Wed Nov 4 16:22:48 UTC 2009
John Doe <jdmls at yahoo.com>

From: nate <centos at linuxpowered.net>
> Any relation to this?
> https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

I don't think so; my tests are quite simple:
  - Start from clean state (
  - Generate CA certificate
 
- Generate CASSL certificate signed by CA
  - Generate Client Certificate signed by CASSL
  - Generate Revocation Certificate signed by CASSL
All the steps are in one go (no changes of any kind in between).
In my tests, I am only using one crl file with one revocation certificate.
Tried the revocationpath and it did nothing at all for me...

> So few use CRL, I really don't see the benefit, but I suppose in
> really controlled environments it could be useful(just not to me).

The goal is to be able to distribute client certificates to filter web access to certain resources.
But we also need a way to revoke such access in the future if needed.
Lets say someone lost his laptop with his certificate or he became an evil hacker or he just left the company...
We need to disable his certificate, instead of having to regenerate the CASSL certificate and all the clients certificates... or wait for it to expire...

Thx,
JD