unable to get certificate crl
I want to configure SSL in apache server with Client and Server authentication and CRL.
Client and server certificates are working perfectly without CRL (SSLCARevocationCheck none) but if I unable CRL, I keep getting the following error in ssl_error_log :
AH02039: Certificate Verification: Error (3): unable to get certificate CRL
Here is my configuration in conf.d/ssl.conf :
# Server cert Paths
SSLCertificateChainFile /etc/httpd/ejbca/my-server.fr-chain.pem
SSLCertificateFile /etc/httpd/ejbca/my-server.fr-cert.pem
SSLCertificateKeyFile /etc/httpd/ejbca/my-server.fr-key.pem
# Force client auth
SSLVerifyClient require
SSLVerifyDepthi 3
# Path to accepted CAs
SSLCACertificatePath /etc/httpd/ca/
# Path to CRLs
SSLCARevocationCheck chain
SSLCARevocationPath /etc/httpd/crl/
My file system is :
ls -la /etc/httpd/ca/
total 0
drwxr-xr-x. 2 root root 42 27 avril 17:26 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root 46 27 avril 17:26 5ac1a54c.0 -> /etc/httpd/ejbca/MyPublicCA.pem
lrwxrwxrwx. 1 root root 40 27 avril 17:24 f5ee00f8.0 -> /etc/httpd/ejbca/MyCA.pem
ls -la /etc/httpd/crl
total 0
drwxr-xr-x. 2 root root 44 27 avril 15:48 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root 59 27 avril 15:48 5ac1a54c.r0 -> /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-03.crl
lrwxrwxrwx. 1 root root 53 27 avril 15:48 f5ee00f8.r0 -> /etc/httpd/ejbca/crl/MyCA-27-04-17-f5ee00f8-04.crl
My CRLs are like so :
openssl crl -in /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-02.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=MyPublicCA/OU=PKI/O=MyCorp
Last Update: Apr 27 13:48:03 2017 GMT
Next Update: May 7 13:48:03 2017 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:41:A2:ED:51:A5:7A:20:1C:66:C8:92:69:9B:F7:ED:F4:D3:29:27:FA
X509v3 CRL Number:
3
Revoked Certificates:
Serial Number: 34B6A3F76F6D3E59
Revocation Date: Apr 27 13:46:21 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
6c:02:84:70:82:af:f5:18:15:4d:28:93:4b:f6:80:ae:c4:d8:
c0:5d:95:cc:97:c0:02:e7:40:d0:d7:db:63:0b:f0:80:22:97:
f0:82:39:e6:70:8f:31:a9:b8:a7:c1:00:1d:f9:2a:04:16:7f:
4f:41:3e:51:ff:14:8f:34:92:4d:6b:e9:da:7a:e1:11:cf:a8:
36:53:ac:95:da:36:2e:b4:a1:4b:d3:4e:4d:23:04:97:33:c5:
20:9c:46:64:11:73:3b:4e:4b:90:81:2c:69:5a:21:f4:af:3a:
31:24:0a:8e:e6:c3:3e:9b:8c:26:8f:fd:f4:52:92:41:10:30:
88:7c:39:2a:52:29:51:65:45:4e:e5:39:d6:06:9b:9e:71:6b:
76:a8:05:c5:3a:c3:f1:d1:95:72:6e:6c:be:38:5d:70:84:4b:
cc:51:e3:6b:c1:3b:02:95:c2:94:5e:c6:4a:dd:b4:a9:f8:6c:
ad:b6:e9:04:df:06:7e:58:92:fb:e5:e9:81:04:b8:7a:71:68:
f1:d1:a1:2c:79:e7:ed:0d:37:b0:36:c2:89:75:88:15:1f:6e:
4d:4e:74:c5:dc:c5:98:b4:26:51:f0:56:ec:77:95:31:5a:6e:
f5:70:f9:93:b0:1c:aa:e3:c6:bc:c3:28:8e:d0:76:3b:13:21:
30:3b:f6:5d
I Used EJBCA 6.3 to generate Certs and CRLs
Any suggestions ?
Thanks.
Answer
If you have an intermediate CA, you need to provide both, the CRL of the root CA and the CRL of the intermediate CA (the full chain). You can do this by simply concatenating the CRLs of those or use the SSLCARevocationPath[1] to point to a directory.
Note for SSLCARevocationPath: You need to provide the files in the form hash-value.rN. You can do this by executing ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0 [2]
[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationpath
[2] http://www.apacheweek.com/features/crl