httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralf Mellis <>
Subject [users@httpd] Revoking a client certificat has no effect
Date Fri, 27 Sep 2002 14:53:29 GMT

I'm currently testing the creation of client certificates.
(System: apache 1.3.26, mod_ssl 2.8.10-1.3.26, OpenSSL 0.9.6g).

I have successfully set up my server with my own CA. In addition,
there is no problem to generate my client certificates.

Now the problem: After revoking a certificate with the command

openssl ca -revoke </path/to/certificate> -config </path/to/openssl/config/from/virtualhost>

it is still possible to access my server from the box, where I installed this certificate.
The above command seemed to be successful, giving the output:

##### snip ####
Using configuration from </path/to/config/from/virtualhost>
Revoking Certificate 04.
Data Base Updated
#### snap ####

I am wondering a bit why the CRL is not updated in an way...

Here now the relevant sections of my config files:

1. openssl.cnf (from virtual host)

[ CA_default ]

dir             = /usr/ssl/kmc          # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = /etc/httpd/ssl.crt/kmc-ca.crt         # The CA certificate
serial          = $dir/serial           # The current serial number
crl             = $dir/crl/crl.pem              # The current CRL
private_key     = /etc/httpd/ssl.key/kmc-ca.key # The private key
RANDFILE        = $dir/private/.rand    # private random number file

2. httpd.conf (in scope of a named virtual host)

<IfDefine SSL>
        SSLEngine On
        SSLCertificateFile      /etc/httpd/ssl.crt/kmc-server.crt
        SSLCertificateKeyFile   /etc/httpd/ssl.key/kmc-server.key
        SSLCACertificateFile    /etc/httpd/ssl.crt/kmc-ca.crt
        SSLVerifyClient require
        SSLCARevocationFile     /usr/ssl/kmc/crl/crl.pem

What's going wrong?

Ralf Mellis
Kisters Maschinenbau GmbH
Abteilung DV/ORG
47533 Kleve
Boschstr. 1-3
Telefon	+49(0)2821-503-0
Fax	+49(0)2821-26110

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message