Link to home
Start Free TrialLog in
Avatar of SeeDk
SeeDk

asked on

Apache web server - how to revoke a certificate produced by a Windows CA?

RHEL 6.0
Apache/2.2.15

This environment uses a Windows Server2008R2 server as a CA.
The web server has been configured to accept certificates issued by that CA.
But I think there has been no configuration set for revoking certificates.

The "SSLCARevocationFile" path has been commented out in httpd.conf.

Is there another way I can revoke and/or block access to a specific certificate? Even if it is a manual process that would be fine. I want to test blocking a certificate for which I have all the information.
Avatar of Michael Pfister
Michael Pfister
Flag of Germany image

Check if you CA publishes a Certificate Revocation List (CRL. usually via web services).
Grab the CRL from the Windows server at regular intervals (.e. wget) and save it to your web server.
Point your Apache to that file.
Avatar of Rich Weissler
Rich Weissler

I can't speak intelligently about the Apache/Linux part of your question -- just the Windows CA part.

Do you have access to the Certificate Authority administrator tool for the Windows 2008 CA?
If you do, open the properties for the CA Server, and select the Extensions tab.  Hopefully the "CRL Distribution Point (CDP)" lists several locations for the Certificate Revocation List (CRL) and depending on the configuration, some may be the location where the CRL is written, and some are the location published in the certificate to retrieve the list.  Http is one common location, but Ldap is very common for Windows CA as well.

To test revocation, also within the CA tool, navigate to 'Issued Certificates' and find the certificate with which you wish to test.  Right click, "All Tasks" and select Revoke Certificate.  If you give the reason as "Certificate Hold", you can unrevoke later.  Once revoked, the certificate will be written to the CRL the next time the CRL is published.  You can force publication immediately by right clicking the "Revoked Certificates" folder and selecting "Publish".  HOWEVER: if on the machine you are testing revocation -- it believes it has the most recent CRL and doesn't expect a new CRL or delta-CRL to be published, it won't bother checking until the schedule indicates it would be published.  (You can look at that schedule if you right-click the Revoked Certificates folder in the tool and select properties.  The first tab will show you the "CRL Publishing Parameters".)
Avatar of SeeDk

ASKER

@Michael
It has a CRL but it stays internally on the CA. I can see the list on the 'certsrv' window.
When I check the file in the "SSLCARevocationFile" path it is something like:
----BEGIN X509 CRL----
<garbled text>
----END X509 CRL---

Am I supposed to get similar text for each revoked certificate and save it to this file? How would I get this text from the Windows certificate?


@Rich
Yes, I have access to that and have revoked certificates. I see under Properties -> Extensions there is a "CRL Distribution Point" extension which lists locations to obtain the CRL:
Entries are:
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Open in new window


On a revoked certificate; if I go to Details -> Extended Error Information:
Revocation Status : OK. Effective Date <‎Monday, ‎May ‎01, ‎2017 5:57:21 PM> Next Update <‎Tuesday, ‎May ‎09, ‎2017 6:17:21 AM>

Open in new window


Does this mean the revocation won't take effect until May 9 or am I misinterpreting this?
I may be off base here, but I think we need to know what you are really trying to accomplish.  When a server is setup to trust certificates from a CA the only time that come into play is if you are requires client side certificates when doing SSL/TLS connections.

Although it is possible, typically this is not done except in environments that requires a very, very high level of security.

So is your Apache setup to require client's to provide certificates when doing SSL/TLS connections?
> Does this mean the revocation won't take effect until May 9 or am I misinterpreting this?

That would be my interpretation as well, yes.  (I believe there is the possibility that a machine that hasn't checked the revocation status of that certificate since before May 1, then checks -- and finds the certificate has been revoked... would consider the certificate revoked.  But again, only if the CRL was manually published, etc... 'cause the CA isn't expected to publish a new CRL until May 9th.  That assumes OCSP isn't used, etc... that's just doing 'normal' CRL.  :-) )
Avatar of SeeDk

ASKER

@giltjr

Yes, that is exactly the case. There is one certificate which was mistakenly sent to a client. I would like to revoke that certificate on the web server so it cannot be used to connect.

@Rich
Thanks that is good to know. I think it won't affect this case since the Apache has not been configured to communicate with the Windows CA
all you need to do is to publish CRL as http path on CA server
Navigate to CA server \ properties \ extension tab and add Http path pointing to certenroll/revocationfile.crl
while you add it, you need to make sure that "add this path to issued certificates" checkbox is selected
after that no matter from which platform you request new certs, that path will be stamped in certificate as CRL and your revoke function will work
if you revoked cert from CA it will invalidate your installed certificate or server will check against http CRL path to itself identify server certificate validity

It might be possible that Apache server may not use LDAP paths to connect to CRL, http is standard method of CRL checking for all platforms

one last thing, current installed certificate can't lookup http path, you need to request new cert from CA after you add http based CRL point on CA server

Mahesh.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SeeDk

ASKER

I downloaded the revocation list from that location. The lists consist of each certificate's serial number, Revocation date and CRL reason code.
Which part of this would I copy into the sslrevocationlist?
The whole thing. into the file that the SSLCAREVOCATIONFILE points to..

This is how it works, apache will see a certificate presented by the user it would then use the process to get its ID and then it will check whether the ID is on its revocation list....
Avatar of SeeDk

ASKER

Oh ok,now I get it! The cert.crl file from the CA itself gets copied into the directory that SSLCAREVOCATIONFILE points to..replacing/updating any cert.crl file which is already there..makes sense! Thanks!
Unusually you would append, or setup a process of combining crls from different sources and then combining them ...
Deals with transitions between CAs and maintaing revocation over the life of each cert...
Avatar of SeeDk

ASKER

Yeah this is an *UNusual setup I'm realizing as I work on it.