Re: [CentOS] Certificates Revocation Lists and Apache...

Wed, 04 Nov 2009 09:52:17 -0800 

On Wed, 4 Nov 2009, John Doe wrote:

> already asked in the openssl mailing list, but just in case you already went 
> through this...
> I need a little help with Certificate Revocation Lists.
> I did setup client certificates filtering with apache and it seem to work 
> fine so far (used a tutorial on http://www.adone.info/?p=4, down right now).
> I have a "CA" that is signing a "CA SSL".
> Then, the "CA SSL" is signing the clients certificates.
>
> Now, I am testing Certificate Revocation Lists, but apache keeps 
> saying: "Invalid signature on CRL"
>
> I used:
>  $ openssl ca -config openssl.conf -name CA_ssl_default -revoke 
> cassl/$CLIENTNAME.pem
>  [....]
>  $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out 
> cassl/crl.pem -crldays 365

So far so good.

> When I try to connect with a revoked (or unrevoked) certificate, I get:
>  [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, 
> subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: 
> /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain
>  [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, 
> CN=myhost.mydomain, lastUpdate: Nov  4 14:39:36 2009 GMT, nextUpdate: Nov  4 
> 14:39:36 2010 GMT
>  [warn] Invalid signature on CRL
>  [error] Certificate Verification: Error (8): CRL signature failure

Does your "CA SSL" certificate have its CRL signing bit set?

   openssl x509 -noout -purpose -in yourcert.pem | grep CRL

Also, there's an Apache bug that fouls things up if the "CA" and "CA 
SSL" root certificates both have the same CN:

   https://issues.apache.org/bugzilla/show_bug.cgi?id=45708

> How can I check if the crl.pem file is ok?
>  $ openssl crl -in cassl/crl.pem -text
>  [...]

This is the best way, and it looks as if things are OK.

> I also tried all sorts of verify combos, but all fail:
>  $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check 
> cassl/crl.pem

The 'verify' option is only good for certifcates, not CRLs. It's also 
worth noting that the 'verify' option doesn't do any CRL checking. 
Grep for 'CRL' in the DIAGNOSTICS section of the verify(1) man page 
and you'll see a lot of 'unused' notes.

-- 
Paul Heinlein <> heinl...@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Reply via email to