apache - 无法获取证书crl

Question

我想在 apache 服务器中使用客户端和服务器身份验证以及 CRL 配置 SSL。

客户端和服务器证书在没有 CRL 的情况下也能正常工作(SSLCARevocationCheck none)，但如果我无法使用 CRL，我会在 ssl_error_log 中不断收到以下错误:

AH02039:证书验证:错误 (3):无法获取证书 CRL

这是我在 conf.d/ssl.conf 中的配置:

# Server cert Paths
SSLCertificateChainFile /etc/httpd/ejbca/my-server.fr-chain.pem
SSLCertificateFile /etc/httpd/ejbca/my-server.fr-cert.pem
SSLCertificateKeyFile /etc/httpd/ejbca/my-server.fr-key.pem

# Force client auth
SSLVerifyClient require
SSLVerifyDepthi 3

# Path to accepted CAs
SSLCACertificatePath /etc/httpd/ca/

# Path to CRLs
SSLCARevocationCheck chain
SSLCARevocationPath /etc/httpd/crl/

我的文件系统是:

ls -la /etc/httpd/ca/
total 0
drwxr-xr-x. 2 root root  42 27 avril 17:26 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root  46 27 avril 17:26 5ac1a54c.0 -> /etc/httpd/ejbca/MyPublicCA.pem
lrwxrwxrwx. 1 root root  40 27 avril 17:24 f5ee00f8.0 -> /etc/httpd/ejbca/MyCA.pem

ls -la /etc/httpd/crl
total 0
drwxr-xr-x. 2 root root  44 27 avril 15:48 .
drwxr-xr-x. 6 root root 148 11 avril 11:58 ..
lrwxrwxrwx. 1 root root  59 27 avril 15:48 5ac1a54c.r0 -> /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-03.crl
lrwxrwxrwx. 1 root root  53 27 avril 15:48 f5ee00f8.r0 -> /etc/httpd/ejbca/crl/MyCA-27-04-17-f5ee00f8-04.crl

我的 CRL 是这样的:

openssl crl -in /etc/httpd/ejbca/crl/MyPublicCA-27-04-17-5ac1a54c-02.crl -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=MyPublicCA/OU=PKI/O=MyCorp
        Last Update: Apr 27 13:48:03 2017 GMT
        Next Update: May  7 13:48:03 2017 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:41:A2:ED:51:A5:7A:20:1C:66:C8:92:69:9B:F7:ED:F4:D3:29:27:FA

            X509v3 CRL Number:
                3
Revoked Certificates:
    Serial Number: 34B6A3F76F6D3E59
        Revocation Date: Apr 27 13:46:21 2017 GMT
    Signature Algorithm: sha256WithRSAEncryption
         6c:02:84:70:82:af:f5:18:15:4d:28:93:4b:f6:80:ae:c4:d8:
         c0:5d:95:cc:97:c0:02:e7:40:d0:d7:db:63:0b:f0:80:22:97:
         f0:82:39:e6:70:8f:31:a9:b8:a7:c1:00:1d:f9:2a:04:16:7f:
         4f:41:3e:51:ff:14:8f:34:92:4d:6b:e9:da:7a:e1:11:cf:a8:
         36:53:ac:95:da:36:2e:b4:a1:4b:d3:4e:4d:23:04:97:33:c5:
         20:9c:46:64:11:73:3b:4e:4b:90:81:2c:69:5a:21:f4:af:3a:
         31:24:0a:8e:e6:c3:3e:9b:8c:26:8f:fd:f4:52:92:41:10:30:
         88:7c:39:2a:52:29:51:65:45:4e:e5:39:d6:06:9b:9e:71:6b:
         76:a8:05:c5:3a:c3:f1:d1:95:72:6e:6c:be:38:5d:70:84:4b:
         cc:51:e3:6b:c1:3b:02:95:c2:94:5e:c6:4a:dd:b4:a9:f8:6c:
         ad:b6:e9:04:df:06:7e:58:92:fb:e5:e9:81:04:b8:7a:71:68:
         f1:d1:a1:2c:79:e7:ed:0d:37:b0:36:c2:89:75:88:15:1f:6e:
         4d:4e:74:c5:dc:c5:98:b4:26:51:f0:56:ec:77:95:31:5a:6e:
         f5:70:f9:93:b0:1c:aa:e3:c6:bc:c3:28:8e:d0:76:3b:13:21:
         30:3b:f6:5d

我使用 EJBCA 6.3 生成证书和 CRL

有什么建议吗？

谢谢。

Answer 1

如果您有中间 CA，则需要同时提供根 CA 的 CRL 和中间 CA(完整链)的 CRL。您可以通过简单地连接这些 CRL 或使用 SSLCARevocationPath[1] 指向一个目录来做到这一点。

SSLCARevocationPath 注意事项:您需要以 hash-value.rN 格式提供文件。您可以通过执行 ln -s ca.crl `openssl crl -hash -noout -in ca.crl`.r0 [2]

来完成此操作

[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcarevocationpath
[2] http://www.apacheweek.com/features/crl