Hello, Today I encountered a situation where I would like to revoke a certificate. so I revoked the pem, then I updated my CA crl cert using the openssl ca -gencrl command. I then copied the crl to the firewall in question, and tried to import it into nss using the crtutil command.
That took a bit of figuring, but in the end I got it to import by converting it to DER format using the following command: openssl crl -in Certificate.Authority.crl -inform PEM -out \ Certificate.Authority.crl.der -outform DER I can now list the crl in the nss database, but I figured good idea to test it. And was it ever a good idea, because the certificate I revoked can still connect to the vpn. I thought I was so clever, but turns out I know naught... So I figured maybe the nss database needs to have a copy of the actual cert in order to consider it revoked, so I created a DER format out of the pem file, and copied the p12, the pem and the der file to the firewall in question. When trying to import any of the three into the nss database with the following command: crlutil -I -i /root/username.pem -d /etc/ipsec.d/ All three file types result in the following error: crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL has an invalid format. I read https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_crlutil but I find it missing a great deal of explanation regarding using it in this situation. I am sure it will all make sense *after I have gained understanding elsewhere. I read several other articles as well, but it seems applications generally have their own tools for manipulating certificates before any nss commands are run (or maybe those are other nss commands and I just don't know it?) So did I miss some step in the certificate creation or something for this to work, or am I just doing things wrong? Can someone point me at what I need to read to gain the correct understanding? Thanks for any hints... -- Computerisms Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
