httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From domi <Ketteltas...@web.de>
Subject Re: [users@httpd] Problem with revoked certificates.
Date Sun, 04 Feb 2007 14:42:42 GMT

Issac wrote:


> domi wrote:
>> All the steps in OpenSSL and Apache work as far as I can say. Now follow
>> some steps to access my site.
>> step 1: start the Apache with /etc/init.d/apache2 startssl
>> The certificate in the Apache ssl-global.conf is NOT revoked.
>>
>> step 2: start Firefox 2.0.1 and call the site https://192.168.0.2
>> Of course you must trust the certificate.
>>   
> I'm not a FireFox expert, but it stands to reason that if you manually 
> trust the cert at this point, it'll continue to be "trusted" even if 
> it's revoked later. 
> 
> What you really want to do is browse to your root cert, import that 
> (which will grant implicit trust to "testcert") and then try importing 
> the CRL and see if you get any notices.
> 
>   Issac
> 
> 

Hey Issac,

both thumbs up for you. After reading your post I built a new CA, created a
new certificate, revoked it and create the CRl. Then I imported the
certificate of the CA and afterwards the CRL.

After a new start of Apache and Firefox I made my first try to access the
new site with the new (revoked) certificate and in deed Firefox told me that
the certificate was revoked. =) That is great and perhaps I’ll jump around
enjoying myself for a few minutes.

But that leads me to another problem. Back to my old scenario: Why does the
trust remain forever although the certificate was revoked? I would expect
that it is possible to trust a certificate and to alter my opinion when it
gets revoked …

Am I wrong? Have you got or anybody else out there an answer to this
question?

best regards domi

-- 
View this message in context: http://www.nabble.com/Problem-with-revoked-certificates.-tf3169656.html#a8793352
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message