From: Paul Heinlein <heinlein at madboa.com> > > When I try to connect with a revoked (or unrevoked) certificate, I get: > > [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, > subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: > /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain > > [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, > CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 > 14:39:36 2010 GMT > > [warn] Invalid signature on CRL > > [error] Certificate Verification: Error (8): CRL signature failure > Does your "CA SSL" certificate have its CRL signing bit set? > openssl x509 -noout -purpose -in yourcert.pem | grep CRL $ openssl x509 -noout -purpose -in cassl/cassl.pem | grep CRL CRL signing : Yes CRL signing CA : Yes Also: $ openssl crl -in cassl/crl.pem -CAfile cassl/cassl.pem verify OK -----BEGIN X509 CRL----- MII... ... ...VQ= -----END X509 CRL----- > Also, there's an Apache bug that fouls things up if the "CA" and "CA > SSL" root certificates both have the same CN: > https://issues.apache.org/bugzilla/show_bug.cgi?id=45708 Hum.. that might be the case... They must all use 'myhost.mydomain' as CN... Do you know how to specify different CNs in a common openssl.conf file? Here's my openssl.conf: [ ca ] default_ca = CA_default [ CA_default ] dir = /etc/certs certs = $dir/ca/certs new_certs_dir = $dir/ca/newcerts database = $dir/ca/index certificate = $dir/ca/ca.pem serial = $dir/ca/serial private_key = $dir/ca/private/ca.key default_days = 3652 default_md = sha1 preserve = no policy = policy_match [ CA_ssl_default ] dir = /root/Certifs certs = $dir/cassl/certs new_certs_dir = $dir/cassl/newcerts new_certs_dir = $dir/cassl/newcerts database = $dir/cassl/index certificate = $dir/cassl/cassl.pem serial = $dir/cassl/serial private_key = $dir/cassl/private/cassl.key default_days = 3652 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match localityName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country countryName_default = AA stateOrProvinceName = State stateOrProvinceName_default = BB localityName = Locality localityName_default = CC organizationName = Organization organizationName_default = DD commonName = CN commonName_default = myhost.mydomain commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 [CA_ROOT] nsComment = "CA Root" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:TRUE,pathlen:1 keyUsage = keyCertSign, cRLSign [CA_SSL] nsComment = "CA SSL" basicConstraints = critical,CA:TRUE,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy keyUsage = keyCertSign, cRLSign nsCertType = sslCA [SERVER_RSA_SSL] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy subjectAltName = DNS:myhost.mydomain basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment nsCertType = server extendedKeyUsage = serverAuth [CLIENT_RSA_SSL] nsComment = "Certificat Client SSL" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy subjectAltName = critical,email:copy,email:info at mydomain basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation nsCertType = client extendedKeyUsage = clientAuth Thx, JD