GTTech2010
asked on
command to revoke client certificate on an apache webserver
I have setup an Apache web-server to request client certificates and I need to revoke some of the client certificates. Removing them from the client machine is not an option so I need to revoke them from the server so it does not see them as valid.
I'm trying to use the command :
openssl ca -revoke /etc/ssl/certs/client123.p
where client123.pem was a certificate validated by the web-server (where the ca was configured).
Thanks
I'm trying to use the command :
openssl ca -revoke /etc/ssl/certs/client123.p
where client123.pem was a certificate validated by the web-server (where the ca was configured).
Thanks
And is apache configured for either CRL checking?
http://apacheweek.com/features/crl
Or OCSP verification?
https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
In Both cases the CA certificate needs to specify the point where to check for info...
in the CRL case the location where fresh CRL can be downloaded, and for OCSP where the server resides.
http://apacheweek.com/features/crl
Or OCSP verification?
https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
In Both cases the CA certificate needs to specify the point where to check for info...
in the CRL case the location where fresh CRL can be downloaded, and for OCSP where the server resides.
ASKER
Hi,
Based on Arnold's comment I wanted to clarify that the Apache webserver is the ca. I'm still reviewing the other comments but please keep the suggestions coming. They are much appreciated
Based on Arnold's comment I wanted to clarify that the Apache webserver is the ca. I'm still reviewing the other comments but please keep the suggestions coming. They are much appreciated
The server where Apache is installed alSo functions as a CA. OpenSSL self signed CA.
You have a web page through which a certificate is obtained? Once the client certificate is revoked, what would prevent the same user from obtaining a new cert?
Or the issuing of the client certificate, is a different process limited to one or a few admins.....
You have a web page through which a certificate is obtained? Once the client certificate is revoked, what would prevent the same user from obtaining a new cert?
Or the issuing of the client certificate, is a different process limited to one or a few admins.....
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not sure where you are having your issue.
See if the OpenSSL CA setup
https://jamielinux.com/docs/openssl-certificate-authority/index.html
Helps you add CRL reference if you did not setup.