On Mon, 15 Jan 2024, Marc wrote:
On windows there is a command certutil -revoke, but on el7 I do not have this.
So I was wondering how certs are put on this crl in the db.
I probably do not really get the concept here, this certutil is new to me.
Revocation is basically a signed serial number. So the Root CA can sign
such a statement. Typically, these are list exported via either a CRL
(ertificate revocation list) or via Online Certificate Store Protocol
(OCSP). The URLs to CRL or OCSP entries are normally added to root CA.
During validation to such a root CA, libreswan should trigger an OCSP
fetch or a CRL fetch.
You can also import a CRL directly into the NSS DB that
libreswan uses:
crlutil -I -i <file> -d sql:/var/lib/ipsec/nss (or /etc/ipsec.d on
older libreswans)
But remember the CRL also expires, so you need to regularly sign and
re-import it if that is your method of updating. I don't remember if
an expired CRL's entries still count as revoked or not, or if an
expired CRL just triggers the softfail/hardfail case (see crl-strict= of
ipsec.conf)
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
