Hazel Wrote
>1. First, use "openssl ca" to generate a CRL.
command i used to revoke
openssl ca -verbose $SSLEAY_CONFIG -revoke ./CA/certs/test.crt
openssl ca -verbose -gencrl $SSLEAY_CONFIG -batch -out \
./CA/crl/test.crl -infiles ./CA/newcerts/test.csr
>2. Make sure that your web server supports CRL check. If it does, add
>the CRL file path to the web conf file.
webserver Apache/1.3.9 (Unix) mod_ssl/2.4.10 OpenSSL/0.9.3a mod_perl/1.21
PHP/3.0.12
snip httpd.conf--------------
SSLCACertificateFile /usr/local/ssl/CA/ca.crt
SSLCACertificatePath /usr/local/ssl/CA
SSLEngine on
SSLCARevocationPath /usr/local/ssl/CA/crl
SSLCertificateFile /usr/local/ssl/CA/certs/secure.crt
SSLCertificateKeyFile /usr/local/ssl/CA/newcerts/secure.key
SSLVerifyClient none
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<Location /test>
SSLVerifyClient require
SSLVerifyDepth 1
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_S_DN_O} eq
"Rabbits R Us Technical Consulting" and %{SSL_CLIENT_S_DN_OU} in
{"Documents", "Tech", "Dev"} )
</Location>
EOF---------------
Hazel
Michael Harvey wrote:
> I Neeed Help with setting up CRL's
> I run a small www site for a special group
> I set up a Self signed CA My Problem.......
> each client has a cert that is checked
> How do i revoke a cert
> I tried..... but they still can log in any Help would be Great thanx
> in [EMAIL PROTECTED]
> (\ /)
> \_^_//
> =(_T_)=
> _// \
> ()_() )
> \ \
> _/ (*)
> ((__((__/
> Michael Harvey
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
