SeeDk
asked on
Apache web server - how to revoke a certificate produced by a Windows CA?
RHEL 6.0
Apache/2.2.15
This environment uses a Windows Server2008R2 server as a CA.
The web server has been configured to accept certificates issued by that CA.
But I think there has been no configuration set for revoking certificates.
The "SSLCARevocationFile" path has been commented out in httpd.conf.
Is there another way I can revoke and/or block access to a specific certificate? Even if it is a manual process that would be fine. I want to test blocking a certificate for which I have all the information.
Apache/2.2.15
This environment uses a Windows Server2008R2 server as a CA.
The web server has been configured to accept certificates issued by that CA.
But I think there has been no configuration set for revoking certificates.
The "SSLCARevocationFile" path has been commented out in httpd.conf.
Is there another way I can revoke and/or block access to a specific certificate? Even if it is a manual process that would be fine. I want to test blocking a certificate for which I have all the information.
I can't speak intelligently about the Apache/Linux part of your question -- just the Windows CA part.
Do you have access to the Certificate Authority administrator tool for the Windows 2008 CA?
If you do, open the properties for the CA Server, and select the Extensions tab. Hopefully the "CRL Distribution Point (CDP)" lists several locations for the Certificate Revocation List (CRL) and depending on the configuration, some may be the location where the CRL is written, and some are the location published in the certificate to retrieve the list. Http is one common location, but Ldap is very common for Windows CA as well.
To test revocation, also within the CA tool, navigate to 'Issued Certificates' and find the certificate with which you wish to test. Right click, "All Tasks" and select Revoke Certificate. If you give the reason as "Certificate Hold", you can unrevoke later. Once revoked, the certificate will be written to the CRL the next time the CRL is published. You can force publication immediately by right clicking the "Revoked Certificates" folder and selecting "Publish". HOWEVER: if on the machine you are testing revocation -- it believes it has the most recent CRL and doesn't expect a new CRL or delta-CRL to be published, it won't bother checking until the schedule indicates it would be published. (You can look at that schedule if you right-click the Revoked Certificates folder in the tool and select properties. The first tab will show you the "CRL Publishing Parameters".)
Do you have access to the Certificate Authority administrator tool for the Windows 2008 CA?
If you do, open the properties for the CA Server, and select the Extensions tab. Hopefully the "CRL Distribution Point (CDP)" lists several locations for the Certificate Revocation List (CRL) and depending on the configuration, some may be the location where the CRL is written, and some are the location published in the certificate to retrieve the list. Http is one common location, but Ldap is very common for Windows CA as well.
To test revocation, also within the CA tool, navigate to 'Issued Certificates' and find the certificate with which you wish to test. Right click, "All Tasks" and select Revoke Certificate. If you give the reason as "Certificate Hold", you can unrevoke later. Once revoked, the certificate will be written to the CRL the next time the CRL is published. You can force publication immediately by right clicking the "Revoked Certificates" folder and selecting "Publish". HOWEVER: if on the machine you are testing revocation -- it believes it has the most recent CRL and doesn't expect a new CRL or delta-CRL to be published, it won't bother checking until the schedule indicates it would be published. (You can look at that schedule if you right-click the Revoked Certificates folder in the tool and select properties. The first tab will show you the "CRL Publishing Parameters".)
ASKER
@Michael
It has a CRL but it stays internally on the CA. I can see the list on the 'certsrv' window.
When I check the file in the "SSLCARevocationFile" path it is something like:
----BEGIN X509 CRL----
<garbled text>
----END X509 CRL---
Am I supposed to get similar text for each revoked certificate and save it to this file? How would I get this text from the Windows certificate?
@Rich
Yes, I have access to that and have revoked certificates. I see under Properties -> Extensions there is a "CRL Distribution Point" extension which lists locations to obtain the CRL:
Entries are:
On a revoked certificate; if I go to Details -> Extended Error Information:
Does this mean the revocation won't take effect until May 9 or am I misinterpreting this?
It has a CRL but it stays internally on the CA. I can see the list on the 'certsrv' window.
When I check the file in the "SSLCARevocationFile" path it is something like:
----BEGIN X509 CRL----
<garbled text>
----END X509 CRL---
Am I supposed to get similar text for each revoked certificate and save it to this file? How would I get this text from the Windows certificate?
@Rich
Yes, I have access to that and have revoked certificates. I see under Properties -> Extensions there is a "CRL Distribution Point" extension which lists locations to obtain the CRL:
Entries are:
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
On a revoked certificate; if I go to Details -> Extended Error Information:
Revocation Status : OK. Effective Date <Monday, May 01, 2017 5:57:21 PM> Next Update <Tuesday, May 09, 2017 6:17:21 AM>
Does this mean the revocation won't take effect until May 9 or am I misinterpreting this?
I may be off base here, but I think we need to know what you are really trying to accomplish. When a server is setup to trust certificates from a CA the only time that come into play is if you are requires client side certificates when doing SSL/TLS connections.
Although it is possible, typically this is not done except in environments that requires a very, very high level of security.
So is your Apache setup to require client's to provide certificates when doing SSL/TLS connections?
Although it is possible, typically this is not done except in environments that requires a very, very high level of security.
So is your Apache setup to require client's to provide certificates when doing SSL/TLS connections?
> Does this mean the revocation won't take effect until May 9 or am I misinterpreting this?
That would be my interpretation as well, yes. (I believe there is the possibility that a machine that hasn't checked the revocation status of that certificate since before May 1, then checks -- and finds the certificate has been revoked... would consider the certificate revoked. But again, only if the CRL was manually published, etc... 'cause the CA isn't expected to publish a new CRL until May 9th. That assumes OCSP isn't used, etc... that's just doing 'normal' CRL. :-) )
That would be my interpretation as well, yes. (I believe there is the possibility that a machine that hasn't checked the revocation status of that certificate since before May 1, then checks -- and finds the certificate has been revoked... would consider the certificate revoked. But again, only if the CRL was manually published, etc... 'cause the CA isn't expected to publish a new CRL until May 9th. That assumes OCSP isn't used, etc... that's just doing 'normal' CRL. :-) )
ASKER
@giltjr
Yes, that is exactly the case. There is one certificate which was mistakenly sent to a client. I would like to revoke that certificate on the web server so it cannot be used to connect.
@Rich
Thanks that is good to know. I think it won't affect this case since the Apache has not been configured to communicate with the Windows CA
Yes, that is exactly the case. There is one certificate which was mistakenly sent to a client. I would like to revoke that certificate on the web server so it cannot be used to connect.
@Rich
Thanks that is good to know. I think it won't affect this case since the Apache has not been configured to communicate with the Windows CA
all you need to do is to publish CRL as http path on CA server
Navigate to CA server \ properties \ extension tab and add Http path pointing to certenroll/revocationfile. crl
while you add it, you need to make sure that "add this path to issued certificates" checkbox is selected
after that no matter from which platform you request new certs, that path will be stamped in certificate as CRL and your revoke function will work
if you revoked cert from CA it will invalidate your installed certificate or server will check against http CRL path to itself identify server certificate validity
It might be possible that Apache server may not use LDAP paths to connect to CRL, http is standard method of CRL checking for all platforms
one last thing, current installed certificate can't lookup http path, you need to request new cert from CA after you add http based CRL point on CA server
Mahesh.
Navigate to CA server \ properties \ extension tab and add Http path pointing to certenroll/revocationfile.
while you add it, you need to make sure that "add this path to issued certificates" checkbox is selected
after that no matter from which platform you request new certs, that path will be stamped in certificate as CRL and your revoke function will work
if you revoked cert from CA it will invalidate your installed certificate or server will check against http CRL path to itself identify server certificate validity
It might be possible that Apache server may not use LDAP paths to connect to CRL, http is standard method of CRL checking for all platforms
one last thing, current installed certificate can't lookup http path, you need to request new cert from CA after you add http based CRL point on CA server
Mahesh.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I downloaded the revocation list from that location. The lists consist of each certificate's serial number, Revocation date and CRL reason code.
Which part of this would I copy into the sslrevocationlist?
Which part of this would I copy into the sslrevocationlist?
The whole thing. into the file that the SSLCAREVOCATIONFILE points to..
This is how it works, apache will see a certificate presented by the user it would then use the process to get its ID and then it will check whether the ID is on its revocation list....
This is how it works, apache will see a certificate presented by the user it would then use the process to get its ID and then it will check whether the ID is on its revocation list....
ASKER
Oh ok,now I get it! The cert.crl file from the CA itself gets copied into the directory that SSLCAREVOCATIONFILE points to..replacing/updating any cert.crl file which is already there..makes sense! Thanks!
Unusually you would append, or setup a process of combining crls from different sources and then combining them ...
Deals with transitions between CAs and maintaing revocation over the life of each cert...
Deals with transitions between CAs and maintaing revocation over the life of each cert...
ASKER
Yeah this is an *UNusual setup I'm realizing as I work on it.
Grab the CRL from the Windows server at regular intervals (.e. wget) and save it to your web server.
Point your Apache to that file.