apache - unable to get certificate crl

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

I want to configure SSL in apache server with Client and Server authentication and CRL.

Client and server certificates are working perfectly without CRL ( SSLCARevocationCheck none ) but if I unable CRL, I keep getting the following error in ssl_error_log :

AH02039: Certificate Verification: Error (3): unable to get certificate CRL

Here is my configuration in conf.d/ssl.conf :

# Server cert Paths
SSLCertificateChainFile /etc/httpd/ejbca/my-server.fr-chain.pem
SSLCertificateFile /etc/httpd/ejbca/my-server.fr-cert.pem
SSLCertificateKeyFile /etc/httpd/ejbca/my-server.fr-key.pem
# Force client auth
SSLVerifyClient require
SSLVerifyDepthi 3
# Path to accepted CAs
SSLCACertificatePath /etc/httpd/ca/
# Path to CRLs
SSLCARevocationCheck chain
SSLCARevocationPath /etc/httpd/crl/
My file system is :
ls -la /etc/httpd/ca/
total 0
drwxr-xr-x. 2 root root  42 27 avril 17:26 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root  46 27 avril 17:26 5ac1a54c.0 -> /etc/httpd/ejbca/MyPublicCA.pem
lrwxrwxrwx. 1 root root  40 27 avril 17:24 f5ee00f8.0 -> /etc/httpd/ejbca/MyCA.pem
ls -la /etc/httpd/crl
total 0
drwxr-xr-x. 2 root root  44 27 avril 15:48 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root  59 27 avril 15:48 5ac1a54c.r0 -> /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-03.crl
lrwxrwxrwx. 1 root root  53 27 avril 15:48 f5ee00f8.r0 -> /etc/httpd/ejbca/crl/MyCA-27-04-17-f5ee00f8-04.crl
My CRLs are like so :
openssl crl -in /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-02.crl -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=MyPublicCA/OU=PKI/O=MyCorp
        Last Update: Apr 27 13:48:03 2017 GMT
        Next Update: May  7 13:48:03 2017 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:41:A2:ED:51:A5:7A:20:1C:66:C8:92:69:9B:F7:ED:F4:D3:29:27:FA
            X509v3 CRL Number:
Revoked Certificates:
    Serial Number: 34B6A3F76F6D3E59
        Revocation Date: Apr 27 13:46:21 2017 GMT
    Signature Algorithm: sha256WithRSAEncryption
         6c:02:84:70:82:af:f5:18:15:4d:28:93:4b:f6:80:ae:c4:d8:
         c0:5d:95:cc:97:c0:02:e7:40:d0:d7:db:63:0b:f0:80:22:97:
         f0:82:39:e6:70:8f:31:a9:b8:a7:c1:00:1d:f9:2a:04:16:7f:
         4f:41:3e:51:ff:14:8f:34:92:4d:6b:e9:da:7a:e1:11:cf:a8:
         36:53:ac:95:da:36:2e:b4:a1:4b:d3:4e:4d:23:04:97:33:c5:
         20:9c:46:64:11:73:3b:4e:4b:90:81:2c:69:5a:21:f4:af:3a:
         31:24:0a:8e:e6:c3:3e:9b:8c:26:8f:fd:f4:52:92:41:10:30:
         88:7c:39:2a:52:29:51:65:45:4e:e5:39:d6:06:9b:9e:71:6b:
         76:a8:05:c5:3a:c3:f1:d1:95:72:6e:6c:be:38:5d:70:84:4b:
         cc:51:e3:6b:c1:3b:02:95:c2:94:5e:c6:4a:dd:b4:a9:f8:6c:
         ad:b6:e9:04:df:06:7e:58:92:fb:e5:e9:81:04:b8:7a:71:68:
         f1:d1:a1:2c:79:e7:ed:0d:37:b0:36:c2:89:75:88:15:1f:6e:
         4d:4e:74:c5:dc:c5:98:b4:26:51:f0:56:ec:77:95:31:5a:6e:
         f5:70:f9:93:b0:1c:aa:e3:c6:bc:c3:28:8e:d0:76:3b:13:21:
         30:3b:f6:5d
I Used EJBCA 6.3 to generate Certs and CRLs
Any suggestions ?
Thanks.
If you have an intermediate CA, you need to provide both, the CRL of the root CA and the CRL of the intermediate CA (the full chain). You can do this by simply concatenating the CRLs of those or use the SSLCARevocationPath[1] to point to a directory.
Note for SSLCARevocationPath: You need to provide the files in the form hash-value.rN. You can do this by executing ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0 [2]
[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationpath

[2] http://www.apacheweek.com/features/crl
I guess your error comes from the fact that your client authentication is not set up to use CRL. To do so, change your openssl configuration file and add int the client cert part: 
  [ client_cert ]
  crlDistributionPoints = URI:http://example.com/intermediate.crl.pem
Then create a certificate client certificate and that should do the job.
Another problem could comes from the fact that your crl is not accessible. The crl you generated must me accessible (in the example, it is accessible from h ttp://example.come/intermediate.crl.pem, change it by yours)
Check here if I don't answer your question : https://jamielinux.com/docs/openssl-certificate-authority/certificate-revocation-lists.html
        Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.