unable to get certificate crl

Patrice picture Patrice · Apr 27, 2017 · Viewed 8.7k times · Source

I want to configure SSL in apache server with Client and Server authentication and CRL.

Client and server certificates are working perfectly without CRL (SSLCARevocationCheck none) but if I unable CRL, I keep getting the following error in ssl_error_log :

AH02039: Certificate Verification: Error (3): unable to get certificate CRL

Here is my configuration in conf.d/ssl.conf :

# Server cert Paths
SSLCertificateChainFile /etc/httpd/ejbca/my-server.fr-chain.pem
SSLCertificateFile /etc/httpd/ejbca/my-server.fr-cert.pem
SSLCertificateKeyFile /etc/httpd/ejbca/my-server.fr-key.pem

# Force client auth
SSLVerifyClient require
SSLVerifyDepthi 3

# Path to accepted CAs
SSLCACertificatePath /etc/httpd/ca/

# Path to CRLs
SSLCARevocationCheck chain
SSLCARevocationPath /etc/httpd/crl/

My file system is :

ls -la /etc/httpd/ca/
total 0
drwxr-xr-x. 2 root root  42 27 avril 17:26 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root  46 27 avril 17:26 5ac1a54c.0 -> /etc/httpd/ejbca/MyPublicCA.pem
lrwxrwxrwx. 1 root root  40 27 avril 17:24 f5ee00f8.0 -> /etc/httpd/ejbca/MyCA.pem

ls -la /etc/httpd/crl
total 0
drwxr-xr-x. 2 root root  44 27 avril 15:48 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root  59 27 avril 15:48 5ac1a54c.r0 -> /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-03.crl
lrwxrwxrwx. 1 root root  53 27 avril 15:48 f5ee00f8.r0 -> /etc/httpd/ejbca/crl/MyCA-27-04-17-f5ee00f8-04.crl

My CRLs are like so :

openssl crl -in /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-02.crl -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=MyPublicCA/OU=PKI/O=MyCorp
        Last Update: Apr 27 13:48:03 2017 GMT
        Next Update: May  7 13:48:03 2017 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:41:A2:ED:51:A5:7A:20:1C:66:C8:92:69:9B:F7:ED:F4:D3:29:27:FA

            X509v3 CRL Number:
                3
Revoked Certificates:
    Serial Number: 34B6A3F76F6D3E59
        Revocation Date: Apr 27 13:46:21 2017 GMT
    Signature Algorithm: sha256WithRSAEncryption
         6c:02:84:70:82:af:f5:18:15:4d:28:93:4b:f6:80:ae:c4:d8:
         c0:5d:95:cc:97:c0:02:e7:40:d0:d7:db:63:0b:f0:80:22:97:
         f0:82:39:e6:70:8f:31:a9:b8:a7:c1:00:1d:f9:2a:04:16:7f:
         4f:41:3e:51:ff:14:8f:34:92:4d:6b:e9:da:7a:e1:11:cf:a8:
         36:53:ac:95:da:36:2e:b4:a1:4b:d3:4e:4d:23:04:97:33:c5:
         20:9c:46:64:11:73:3b:4e:4b:90:81:2c:69:5a:21:f4:af:3a:
         31:24:0a:8e:e6:c3:3e:9b:8c:26:8f:fd:f4:52:92:41:10:30:
         88:7c:39:2a:52:29:51:65:45:4e:e5:39:d6:06:9b:9e:71:6b:
         76:a8:05:c5:3a:c3:f1:d1:95:72:6e:6c:be:38:5d:70:84:4b:
         cc:51:e3:6b:c1:3b:02:95:c2:94:5e:c6:4a:dd:b4:a9:f8:6c:
         ad:b6:e9:04:df:06:7e:58:92:fb:e5:e9:81:04:b8:7a:71:68:
         f1:d1:a1:2c:79:e7:ed:0d:37:b0:36:c2:89:75:88:15:1f:6e:
         4d:4e:74:c5:dc:c5:98:b4:26:51:f0:56:ec:77:95:31:5a:6e:
         f5:70:f9:93:b0:1c:aa:e3:c6:bc:c3:28:8e:d0:76:3b:13:21:
         30:3b:f6:5d

I Used EJBCA 6.3 to generate Certs and CRLs

Any suggestions ?

Thanks.

Answer

Jonas Felber picture Jonas Felber · Nov 20, 2017

If you have an intermediate CA, you need to provide both, the CRL of the root CA and the CRL of the intermediate CA (the full chain). You can do this by simply concatenating the CRLs of those or use the SSLCARevocationPath[1] to point to a directory.

Note for SSLCARevocationPath: You need to provide the files in the form hash-value.rN. You can do this by executing ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0 [2]

[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationpath
[2] http://www.apacheweek.com/features/crl