You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ralf Mellis <r....@kisters.com> on 2002/09/27 16:53:29 UTC

[users@httpd] Revoking a client certificat has no effect

Hi,

I'm currently testing the creation of client certificates.
(System: apache 1.3.26, mod_ssl 2.8.10-1.3.26, OpenSSL 0.9.6g).

I have successfully set up my server with my own CA. In addition,
there is no problem to generate my client certificates.

Now the problem: After revoking a certificate with the command

openssl ca -revoke </path/to/certificate> -config </path/to/openssl/config/from/virtualhost>

it is still possible to access my server from the box, where I installed this certificate.
The above command seemed to be successful, giving the output:

##### snip ####
Using configuration from </path/to/config/from/virtualhost>
Revoking Certificate 04.
Data Base Updated
#### snap ####

I am wondering a bit why the CRL is not updated in an way...

Here now the relevant sections of my config files:

1. openssl.cnf (from virtual host)

[ CA_default ]

dir             = /usr/ssl/kmc          # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = /etc/httpd/ssl.crt/kmc-ca.crt         # The CA certificate
serial          = $dir/serial           # The current serial number
crl             = $dir/crl/crl.pem              # The current CRL
private_key     = /etc/httpd/ssl.key/kmc-ca.key # The private key
RANDFILE        = $dir/private/.rand    # private random number file

2. httpd.conf (in scope of a named virtual host)

<IfDefine SSL>
        SSLEngine On
        SSLCertificateFile      /etc/httpd/ssl.crt/kmc-server.crt
        SSLCertificateKeyFile   /etc/httpd/ssl.key/kmc-server.key
        SSLCACertificateFile    /etc/httpd/ssl.crt/kmc-ca.crt
        SSLVerifyClient require
        SSLCARevocationFile     /usr/ssl/kmc/crl/crl.pem
</IfDefine>

What's going wrong?

-- 
Ralf Mellis
Kisters Maschinenbau GmbH
Abteilung DV/ORG
47533 Kleve
Boschstr. 1-3
Germany
Telefon	+49(0)2821-503-0
Fax	+49(0)2821-26110


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org