Hello all together,
I’m not quite sure where to post my question because I wasn’t able to locate
my fault. So I’ll post my question in the OpenSSL-user forum and in the
Apache http server-users forum. A similar post in a German Firefox forum
brought no solution. Please excuse if the question doesn’t fit into this
forum.
To my situation: I’m using Linux/ Suse 10.0 with an Apache 2.0.54, OpenSSL
0.9.7g. and Firefox 2.0.1. I’m the webserver and client in one person. I’ve
given my computer a static IP-adress: 192.168.0.2
I’ve built a simple Website to which I’ve got access with
https://192.168.0.2
I want to include the use of CRLs. Client certificates are no subject to me.
The Apache and OpenSSL work very fine and I’m able to create CRLs and import
them into my Firefox.
To my problem: When my webserver uses certificates which are revoked (I
revoked them) I’m still able to access the site although the browser has got
the newest CRL. I’ve read a lot of configs and howtos but I still don’t know
the reason for this fault.
If anyone knows a good howto for my scenario or (and better) the solution
for my problem please let me know. Subsequent I post some excerpt of what
I’ve done so far.
Here is the OpenSSL part starting with the creation of my CA. At first the
basics:
# mkdir /opt/exampleca
# cd /opt/example ca
# mkdir certs private
# chmod g-rwx,o-rwx private
# echo ‘01’ serial
touch index.txt
Here is my openssl.cnf:
[ ca ]
default_ca = exampleca
[ exampleca ]
dir = /opt/exampleca
certificate = $dir/cacert.pem
database= $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days= 7
default_days= 365
default_md = md5
policy = exampleca_policy
x509_extensions = certificate_extensions
[ exampleca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress= supplied
organizationName= supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints= CA:false
crlDistributionPoints=URI:https://192.168.0.2/derexample.crl
[ req ]
default_bits= 2048
default_keyfile = /opt/exampleca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = Example CA
stateOrProvinceName = Virginia
countryName = US
emailAddress= [EMAIL PROTECTED]
organizationName= Root Certification Authority
[ root_ca_extensions ]
basicConstraints= CA:true
With this code I’m telling OpenSSL where to find my config file
# OPENSSL_CONF=/opt/exampleca/openssl.cnf
# OPENSSL_CONF
Generating a self-signed root certificate
# openssl req –x509 –newkey rsa –out cacert.pem –outform PEM
A look at the output of the self-signed root certificate
# openssl x509 –in cacert.pem –text –noout
Generating a certificate request
# openssl req –newkey rsa:1024 –keyout testkey.pem –keyform PEM –out
testreq.pem –outform PEM
A look at the output of the certificate request
# openssl req –in testreq.pem –text –noout
Issue a certificate from a certificate request
# openssl ca –in testreq.pem
Revoke a certificate
# cp certs/01.pem testcert.pem
# openssl ca –revoke testcert.pem
Generating a CRL
# openssl ca –gencrl –out example.crl
A look at the output of the CRL
# openssl crl –in exampleca.crl –text –noout
verify the signatur of the CRL
# openssl crl –in exampleca.crl –noout –CAfile cacert.pem
transform the CRL from PEM to DER because Firefox needs DER-format
openssl crl -in example.crl –outform DER –out derexample.crl
A look at the output of the DER-CRL
openssl crl -text -noout -in derexample.crl -inform der
Now to my Apache part:
I copy the derexample.crl into the DocumentRoot of the Apache so that I can
access it with https://192.168.0.2/derexample.crl
That’s probably not 100% secure but it works for now and it will be changed
in the near future.
Now to the Apache configs:
- LoadModule ssl_module is included in my loadmodule.conf
- an excerpt of my default-server.conf:
Directory „/srv/www/htdocs“
SSLRequireSSL
Options None
AllowOverride None
Oder allow, deny
Allow from all
/Directory
- Here is my complete ssl-global.conf:
##SSL Global Context
IfDefine SSL
IfDefine !NOSSL
IfModule mod_ssl.c
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 600
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
VirtualHost _default_:443
ServerName 192.168.0.2:443
Errorlog /opt/exampleca/ssl_error_log
Transferlog /opt/exampleca/ssl_access_log
