You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ralf Mellis <r....@kisters.com> on 2002/09/27 16:53:29 UTC
[users@httpd] Revoking a client certificat has no effect
Hi,
I'm currently testing the creation of client certificates.
(System: apache 1.3.26, mod_ssl 2.8.10-1.3.26, OpenSSL 0.9.6g).
I have successfully set up my server with my own CA. In addition,
there is no problem to generate my client certificates.
Now the problem: After revoking a certificate with the command
openssl ca -revoke </path/to/certificate> -config </path/to/openssl/config/from/virtualhost>
it is still possible to access my server from the box, where I installed this certificate.
The above command seemed to be successful, giving the output:
##### snip ####
Using configuration from </path/to/config/from/virtualhost>
Revoking Certificate 04.
Data Base Updated
#### snap ####
I am wondering a bit why the CRL is not updated in an way...
Here now the relevant sections of my config files:
1. openssl.cnf (from virtual host)
[ CA_default ]
dir = /usr/ssl/kmc # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = /etc/httpd/ssl.crt/kmc-ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl/crl.pem # The current CRL
private_key = /etc/httpd/ssl.key/kmc-ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
2. httpd.conf (in scope of a named virtual host)
<IfDefine SSL>
SSLEngine On
SSLCertificateFile /etc/httpd/ssl.crt/kmc-server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/kmc-server.key
SSLCACertificateFile /etc/httpd/ssl.crt/kmc-ca.crt
SSLVerifyClient require
SSLCARevocationFile /usr/ssl/kmc/crl/crl.pem
</IfDefine>
What's going wrong?
--
Ralf Mellis
Kisters Maschinenbau GmbH
Abteilung DV/ORG
47533 Kleve
Boschstr. 1-3
Germany
Telefon +49(0)2821-503-0
Fax +49(0)2821-26110
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org