我想在apache服务器中使用客户端和服务器身份验证和CRL配置SSL。
客户端和服务器证书在没有CRL(SSLCARevocationCheck none)的情况下工作正常但如果我无法使用CRL,我会在ssl_error_log中出现以下错误:
AH02039: Certificate Verification: Error (3): unable to get certificate CRL
这是我在conf.d / ssl.conf中的配置:
# Server cert Paths
SSLCertificateChainFile /etc/httpd/ejbca/my-server.fr-chain.pem
SSLCertificateFile /etc/httpd/ejbca/my-server.fr-cert.pem
SSLCertificateKeyFile /etc/httpd/ejbca/my-server.fr-key.pem
# Force client auth
SSLVerifyClient require
SSLVerifyDepthi 3
# Path to accepted CAs
SSLCACertificatePath /etc/httpd/ca/
# Path to CRLs
SSLCARevocationCheck chain
SSLCARevocationPath /etc/httpd/crl/
我的文件系统是:
ls -la /etc/httpd/ca/
total 0
drwxr-xr-x. 2 root root 42 27 avril 17:26 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root 46 27 avril 17:26 5ac1a54c.0 -> /etc/httpd/ejbca/MyPublicCA.pem
lrwxrwxrwx. 1 root root 40 27 avril 17:24 f5ee00f8.0 -> /etc/httpd/ejbca/MyCA.pem
ls -la /etc/httpd/crl
total 0
drwxr-xr-x. 2 root root 44 27 avril 15:48 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root 59 27 avril 15:48 5ac1a54c.r0 -> /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-03.crl
lrwxrwxrwx. 1 root root 53 27 avril 15:48 f5ee00f8.r0 -> /etc/httpd/ejbca/crl/MyCA-27-04-17-f5ee00f8-04.crl
我的CRL是这样的:
openssl crl -in /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-02.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=MyPublicCA/OU=PKI/O=MyCorp
Last Update: Apr 27 13:48:03 2017 GMT
Next Update: May 7 13:48:03 2017 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:41:A2:ED:51:A5:7A:20:1C:66:C8:92:69:9B:F7:ED:F4:D3:29:27:FA
X509v3 CRL Number:
3
Revoked Certificates:
Serial Number: 34B6A3F76F6D3E59
Revocation Date: Apr 27 13:46:21 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
6c:02:84:70:82:af:f5:18:15:4d:28:93:4b:f6:80:ae:c4:d8:
c0:5d:95:cc:97:c0:02:e7:40:d0:d7:db:63:0b:f0:80:22:97:
f0:82:39:e6:70:8f:31:a9:b8:a7:c1:00:1d:f9:2a:04:16:7f:
4f:41:3e:51:ff:14:8f:34:92:4d:6b:e9:da:7a:e1:11:cf:a8:
36:53:ac:95:da:36:2e:b4:a1:4b:d3:4e:4d:23:04:97:33:c5:
20:9c:46:64:11:73:3b:4e:4b:90:81:2c:69:5a:21:f4:af:3a:
31:24:0a:8e:e6:c3:3e:9b:8c:26:8f:fd:f4:52:92:41:10:30:
88:7c:39:2a:52:29:51:65:45:4e:e5:39:d6:06:9b:9e:71:6b:
76:a8:05:c5:3a:c3:f1:d1:95:72:6e:6c:be:38:5d:70:84:4b:
cc:51:e3:6b:c1:3b:02:95:c2:94:5e:c6:4a:dd:b4:a9:f8:6c:
ad:b6:e9:04:df:06:7e:58:92:fb:e5:e9:81:04:b8:7a:71:68:
f1:d1:a1:2c:79:e7:ed:0d:37:b0:36:c2:89:75:88:15:1f:6e:
4d:4e:74:c5:dc:c5:98:b4:26:51:f0:56:ec:77:95:31:5a:6e:
f5:70:f9:93:b0:1c:aa:e3:c6:bc:c3:28:8e:d0:76:3b:13:21:
30:3b:f6:5d
我使用EJBCA 6.3生成Certs和CRL
有什么建议吗?
感谢。
答案 0 :(得分:0)
我猜您的错误来自于您的客户端身份验证未设置为使用CRL的事实。为此,请更改openssl配置文件并添加int客户端证书部分:
[client_cert]
crlDistributionPoints = URI:http://example.com/intermediate.crl.pem
然后创建证书客户端证书,并且应该完成这项工作。 另一个问题可能来自您的crl无法访问的事实。您生成的crl必须是可访问的(在示例中,可以从h ttp://example.come/intermediate.crl.pem访问它,由您更改)
如果我不回答你的问题,请点击此处:https://jamielinux.com/docs/openssl-certificate-authority/certificate-revocation-lists.html
答案 1 :(得分:0)
如果您有中间CA,则需要同时提供根CA的CRL和中间CA的CRL(完整链)。您可以通过简单地连接这些CRL或使用SSLCARevocationPath [1]指向目录来完成此操作。
SSLCARevocationPath的注意事项:您需要以hash-value.rN格式提供文件。您可以通过执行ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0 [2]
[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationpath
[2] http://www.apacheweek.com/features/crl