httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From domi <>
Subject Re: [users@httpd] Problem with revoked certificates.
Date Sun, 04 Feb 2007 14:42:42 GMT

Issac wrote:

> domi wrote:
>> All the steps in OpenSSL and Apache work as far as I can say. Now follow
>> some steps to access my site.
>> step 1: start the Apache with /etc/init.d/apache2 startssl
>> The certificate in the Apache ssl-global.conf is NOT revoked.
>> step 2: start Firefox 2.0.1 and call the site
>> Of course you must trust the certificate.
> I'm not a FireFox expert, but it stands to reason that if you manually 
> trust the cert at this point, it'll continue to be "trusted" even if 
> it's revoked later. 
> What you really want to do is browse to your root cert, import that 
> (which will grant implicit trust to "testcert") and then try importing 
> the CRL and see if you get any notices.
>   Issac

Hey Issac,

both thumbs up for you. After reading your post I built a new CA, created a
new certificate, revoked it and create the CRl. Then I imported the
certificate of the CA and afterwards the CRL.

After a new start of Apache and Firefox I made my first try to access the
new site with the new (revoked) certificate and in deed Firefox told me that
the certificate was revoked. =) That is great and perhaps I’ll jump around
enjoying myself for a few minutes.

But that leads me to another problem. Back to my old scenario: Why does the
trust remain forever although the certificate was revoked? I would expect
that it is possible to trust a certificate and to alter my opinion when it
gets revoked …

Am I wrong? Have you got or anybody else out there an answer to this

best regards domi

View this message in context:
Sent from the Apache HTTP Server - Users mailing list archive at

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message