On 02/16/2015 04:23 PM, Reindl Harald wrote:
>> "The CA file should contain the certificate(s) followed by the
>> matching CRL(s). Note that the CRLs are required to exist. For a
>> multi-level CA place the certificates in this order:
>>
>> Issuing CA cert
>> Issuing CA CRL
>> Intermediate CA cert
>> Intermediate CA CRL
>> Root CA cert
>> Root CA CRL"
>
> that is how you can and should build your PEM files for *every* SSL
^^^^^^^
> aware software
NACK. I have set up CentOS 6 servers a little more than two years ago
with that format used for dovecot and OpenVPN, including verification
that the functionality was there. Last month we had a need to revoke a
client's certs and it turned out that OpenVPN had silently stopped
honoring the CRLs somewhere along the update path (dovecot still
enforces them). I had to QuickFix the OpenVPN config from the above
monolithic file over to a CApath
https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#notes
to successfully lock the disgraced client out.
Regards,
J. Bern
--
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel
