UniServer CA: Client Certificates Revocation
|Uniform Server 4.0-Mona|
Portable CA - Client Certificates Revocation
When a personal (client) certificate for whatever reason becomes compromised it needs to be revoked. In addition we also need to inform Apache to prevent access to the server for revoked certificates.
The revocation process has been semi-automated with Revoke.bat the following provides an overview of this process.
OpenSSL stores a list of issued certificates in file index.txt (text file database), open this file, find the serial number of the certificate you want to revoke and run the following command.
openssl ca -config openssl.cnf -revoke newcerts/<serial-number>.pem
This command marks the certificate entry in index.txt as revoked.
Note: You are requested to enter the CA's pass phrase.
Certificate Revocation List List
To create a certificate revocation list run the following command:
openssl ca -config openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl/crl.pem
It scans the database text file index.txt for all revoked certificates and creates a revocation file crl.pem
Note 1: You are requested to enter the CA's pass phrase.
Note 2: The control list crl.pem is saved to folder UniServer\udrive\plugins\UniServer_CA\CA\crl
Every time a new control list is generated it needs to be copied over to the server. Although it can be located in any folder I use folder UniServer\udrive\usr\local\apache2\conf\ssl.crt
Apache needs to be informed you are using a control list file and where to find it.
Edit file UniServer\udrive\usr\local\apache2\conf\ssl.conf add the following line:
Locate it just below CA plugin option as shown below:
#== CA plugin option. Certificate Authority (CA): SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca.crt #== CA plugin option. Control list: SSLCARevocationFile /usr/local/apache2/conf/ssl.crt/crl.pem
Note: Restart servers for the new configuration to be picked-up by Apache.
That covers the background Revoke.bat automates the above SSL commands.
Revoking a certificate is straight forward. On the previous page we created a certificate for Mr X we will revoke this certificate denying that user access to the server.
- Run Revoke.bat
- Press enter displays a list of issued certificates
- Search down the list for Mr X note the serial number (in this example is 02)
- Enter the serial number (02) Note if the list is long scroll down to the input
- You will be prompted for the CA's pass phrase (fred) enter this.
Certificate is revoked and confirmed.
- You are prompted again for the CA's pass phrase (fred) enter this.
The control list is created.
Note: You are either informed the file crl.pem was copied to the server or instructed to manually copy the file to the server.
- To manually copy the file:
- Copy file UniServer_CA\CA\crl\crl.pem
- To folder: UniServer\udrive\usr\local\apache2\conf\ssl.crt
On the previous page we allowed Mr X access to the test folder (UniServer\udrive\ssl\test).
To confirm that Mr X's certificate has been revoked perform the following test:
- Start servers
- Access page (index.php) by typing https://localhost/test/ into your browser
- Browser (Firefox) displays: SSL peer rejected your certificate as revoked.
Confirms that Mr X cannot now access the secure folder.
This page concludes how to use UniServer portable CA. I have show how easy it is to revoke a personal (client) certificate.
Make sure you do not revoke certificate with serial 01 otherwise you kill the server certificate.
Remainder of this write-up looks at the batch files used see next page.