Apache 无法获取证书crl
我想在apache服务器中配置SSL,使用客户端和服务器身份验证以及CRL 客户端和服务器证书在没有CRL(Apache 无法获取证书crl,apache,ssl,certificate-revocation,ejbca,Apache,Ssl,Certificate Revocation,Ejbca,我想在apache服务器中配置SSL,使用客户端和服务器身份验证以及CRL 客户端和服务器证书在没有CRL(SSLCARevocationCheck none)的情况下工作正常,但如果我无法使用CRL,我会在ssl\u错误\u日志中不断收到以下错误: AH02039:证书验证:错误(3):无法获取证书CRL 以下是我在conf.d/ssl.conf中的配置: # Server cert Paths SSLCertificateChainFile /etc/httpd/ejbca/my-serve
SSLCARevocationCheck noneAH02039:证书验证:错误(3):无法获取证书CRL# Server cert Paths
SSLCertificateChainFile /etc/httpd/ejbca/my-server.fr-chain.pem
SSLCertificateFile /etc/httpd/ejbca/my-server.fr-cert.pem
SSLCertificateKeyFile /etc/httpd/ejbca/my-server.fr-key.pem
# Force client auth
SSLVerifyClient require
SSLVerifyDepthi 3
# Path to accepted CAs
SSLCACertificatePath /etc/httpd/ca/
# Path to CRLs
SSLCARevocationCheck chain
SSLCARevocationPath /etc/httpd/crl/
ls -la /etc/httpd/ca/
total 0
drwxr-xr-x. 2 root root 42 27 avril 17:26 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root 46 27 avril 17:26 5ac1a54c.0 -> /etc/httpd/ejbca/MyPublicCA.pem
lrwxrwxrwx. 1 root root 40 27 avril 17:24 f5ee00f8.0 -> /etc/httpd/ejbca/MyCA.pem
ls -la /etc/httpd/crl
total 0
drwxr-xr-x. 2 root root 44 27 avril 15:48 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root 59 27 avril 15:48 5ac1a54c.r0 -> /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-03.crl
lrwxrwxrwx. 1 root root 53 27 avril 15:48 f5ee00f8.r0 -> /etc/httpd/ejbca/crl/MyCA-27-04-17-f5ee00f8-04.crl
openssl crl -in /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-02.crl -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=MyPublicCA/OU=PKI/O=MyCorp
Last Update: Apr 27 13:48:03 2017 GMT
Next Update: May 7 13:48:03 2017 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:41:A2:ED:51:A5:7A:20:1C:66:C8:92:69:9B:F7:ED:F4:D3:29:27:FA
X509v3 CRL Number:
3
Revoked Certificates:
Serial Number: 34B6A3F76F6D3E59
Revocation Date: Apr 27 13:46:21 2017 GMT
Signature Algorithm: sha256WithRSAEncryption
6c:02:84:70:82:af:f5:18:15:4d:28:93:4b:f6:80:ae:c4:d8:
c0:5d:95:cc:97:c0:02:e7:40:d0:d7:db:63:0b:f0:80:22:97:
f0:82:39:e6:70:8f:31:a9:b8:a7:c1:00:1d:f9:2a:04:16:7f:
4f:41:3e:51:ff:14:8f:34:92:4d:6b:e9:da:7a:e1:11:cf:a8:
36:53:ac:95:da:36:2e:b4:a1:4b:d3:4e:4d:23:04:97:33:c5:
20:9c:46:64:11:73:3b:4e:4b:90:81:2c:69:5a:21:f4:af:3a:
31:24:0a:8e:e6:c3:3e:9b:8c:26:8f:fd:f4:52:92:41:10:30:
88:7c:39:2a:52:29:51:65:45:4e:e5:39:d6:06:9b:9e:71:6b:
76:a8:05:c5:3a:c3:f1:d1:95:72:6e:6c:be:38:5d:70:84:4b:
cc:51:e3:6b:c1:3b:02:95:c2:94:5e:c6:4a:dd:b4:a9:f8:6c:
ad:b6:e9:04:df:06:7e:58:92:fb:e5:e9:81:04:b8:7a:71:68:
f1:d1:a1:2c:79:e7:ed:0d:37:b0:36:c2:89:75:88:15:1f:6e:
4d:4e:74:c5:dc:c5:98:b4:26:51:f0:56:ec:77:95:31:5a:6e:
f5:70:f9:93:b0:1c:aa:e3:c6:bc:c3:28:8e:d0:76:3b:13:21:
30:3b:f6:5d
谢谢。我猜您的错误是因为您的客户端身份验证未设置为使用CRL。为此,请更改openssl配置文件,并在客户端证书部分添加int: [客户证书] crlDistributionPoints=URI: 然后创建一个证书客户端证书,该证书将完成此工作。 另一个问题可能是您的crl无法访问。您生成的crl必须可以访问(在本例中,它可以从h访问)ttp://example.come/intermediate.crl.pem,由您自己更改)
如果我没有回答您的问题,请检查此处:如果您有中间CA,则需要同时提供根CA的CRL和中间CA的CRL(完整链)。您可以通过简单地连接这些CRL来实现这一点,或者使用
SSLCARevocationPathsslcavocationpathhash value.rNln-s ca.crl`openssl crl-hash-noout-in ca.crl`.r0[2]