UniServer CA2: Client Certificates Revocation

From The Uniform Server Wiki
Jump to navigation Jump to search

 

Uniform Server 5.5-Nano
CA Demo

Portable CA - Client Certificates Revocation

When a personal (client) certificate for whatever reason becomes compromised it needs to be revoked. In addition we also need to inform Apache to prevent access to the server for revoked certificates.

Revocation overview

The revocation process has been semi-automated with Revoke.bat the following provides an overview of this process.

Serial number

OpenSSL stores a list of issued certificates in file index.txt (text file database), open this file, find the serial number of the certificate you want to revoke and run the following command.

openssl ca -config openssl.cnf  -revoke newcerts/<serial-number>.pem

This command marks the certificate entry in index.txt as revoked.

Note: You are requested to enter the CA's pass phrase.

Certificate Revocation List List

To create a certificate revocation list run the following command:

openssl ca -config openssl.cnf -gencrl -crlexts crl_ext -md sha1 -out crl/crl.pem

It scans the database text file index.txt for all revoked certificates and creates a revocation file crl.pem

Note 1: You are requested to enter the CA's pass phrase.

Note 2: The control list crl.pem is saved to folder UniServer\plugins\UniServer_CA\CA\crl

Apache configuration

Every time a new control list is generated it needs to be copied over to the server. Although it can be located in any folder I use folder UniServer\usr\local\apache2\conf\ssl.crt

Apache needs to be informed you are using a control list file and where to find it.

Edit file UniServer\usr\local\apache2\conf\ssl.conf add the following line:

SSLCARevocationFile /usr/local/apache2/conf/ssl.crt/crl.pem

Locate it just below CA plugin option as shown below:

#==  CA plugin option. Certificate Authority (CA):
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca.crt

#==  CA plugin option. Control list:
SSLCARevocationFile /usr/local/apache2/conf/ssl.crt/crl.pem

Note: For the new configuration to be picked-up by Apache restart servers .

That covers the background Revoke.bat automates the above SSL commands.

Top

Run Revoke.bat

Revoking a certificate is straight forward. On the previous page we created a certificate for Mr X we will revoke this certificate denying that user access to the server.

  1. Run Revoke.bat
  2. Press enter displays a list of issued certificates
  3. Search down the list for Mr X note the serial number (in this example is 02)
  4. Enter the serial number (02) Note if the list is long you need to scroll down to the input field
  5. You will be prompted for the CA's pass phrase (fred) enter this.
    The certificate is revoked and confirmed.
  6. You are prompted again for the CA's pass phrase (fred) enter this.
    The control list is created.

Note: You are either informed the file crl.pem was copied to the server or instructed to manually copy the file to the server.

  • To manually copy the file:
  • Copy file UniServer_CA\CA\crl\crl.pem
  • To folder: UniServer\usr\local\apache2\conf\ssl.crt

Top

Testing

On the previous page we allowed Mr X access to the test folder (UniServer\udrive\ssl\test).

To confirm that Mr X's certificate has been revoked perform the following test:

  1. Start servers
  2. Access page (index.php) by typing https://localhost/test/ into your browser
  3. Browser (Firefox) displays: SSL peer rejected your certificate as revoked.

Confirms that Mr X cannot now access the secure folder.

Top

Summary

This page concludes how to use UniServer portable CA. I have show how easy it is to revoke a personal (client) certificate.

Make sure you do not revoke certificate with serial 01 otherwise you kill the server certificate.

Remainder of this write-up looks at the batch files used see next page.

Top