how to disable crlDistributionPoints extension?

Stefan Winter stefan.winter at restena.lu
Thu Mar 17 15:19:10 CET 2016


Hi,

> I have a problem that crlDistributionPoints  is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/)
> I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier    = hashauthorityKeyIdentifier  = keyid:always,issuer:alwaysbasicConstraints        = critical,CA:truecrlDistributionPoints   = URI:http://www.example.org/example_ca.crl <<< HERE
> I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate:    Data:        Version: 3 (0x2)        Serial Number: 1 (0x1)    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX at XXX, CN=FR-CA        Validity            Not Before: Mar 16 15:02:23 2016 GMT            Not After : Mar 11 15:02:23 2036 GMT        Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX at XXX(snip)        X509v3 extensions:            X509v3 Extended Key Usage:                TLS Web Server Authentication            X509v3 CRL Distribution Points: <<< HERE!!!                 Full Name:                  URI:http://www.example.com/example_ca.crl
> My idea is wrong?

You can stop including crlDPs by commenting out the lines in the config.

Some OSes require this property in server certs. If you omit it, your
cert will not be good enough on those OSes.

I don't think you really *want* local CRLs on clients. CRLs typically
have a very short lifetime (like: expire every 2 weeks), so you'd have
to manually feed your clients with new CRLs every so often.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160317/23b2fd62/attachment.sig>


More information about the Freeradius-Users mailing list