how to disable crlDistributionPoints extension?

Stefan Winter stefan.winter at restena.lu
Thu Mar 17 16:04:34 CET 2016


Hi,

> I'll use CRL. But let me confirm.Sorry for my basic question though, how can I make CRL on FR3.0.10?
> As for certification, I used script like ca.cnf and server.cnf.# Because I cared about IOT (between FR and certification), so I used scripts.As for CRL, is it to use "openssl ca -gencrl" command? No script for it? (I couldn't find out the script.)

Sorry; you are right, generation is with "openssl ca -gencrl". There's
not much scripting needed besides that one single command. The
parameters may need a bit of tuning and the Makefile *could* make this
easier probably.

Stefan

> Regards,
>  
> 
>     On Thursday, 17 March 2016, 23:19, Stefan Winter <stefan.winter at restena.lu> wrote:
>  
> 
>  Hi,
> 
>> I have a problem that crlDistributionPoints  is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/)
>> I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier    = hashauthorityKeyIdentifier  = keyid:always,issuer:alwaysbasicConstraints        = critical,CA:truecrlDistributionPoints  = URI:http://www.example.org/example_ca.crl <<< HERE
>> I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate:    Data:        Version: 3 (0x2)        Serial Number: 1 (0x1)    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX at XXX, CN=FR-CA        Validity            Not Before: Mar 16 15:02:23 2016 GMT            Not After : Mar 11 15:02:23 2036 GMT        Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX at XXX(snip)        X509v3 extensions:            X509v3 Extended Key Usage:                TLS Web Server Authentication            X509v3 CRL Distribution Points: <<< HERE!!!                Full Name:                  URI:http://www.example.com/example_ca.crl
>> My idea is wrong?
> 
> You can stop including crlDPs by commenting out the lines in the config.
> 
> Some OSes require this property in server certs. If you omit it, your
> cert will not be good enough on those OSes.
> 
> I don't think you really *want* local CRLs on clients. CRLs typically
> have a very short lifetime (like: expire every 2 weeks), so you'd have
> to manually feed your clients with new CRLs every so often.
> 
> Greetings,
> 
> Stefan Winter
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160317/d66d4bd4/attachment-0001.sig>


More information about the Freeradius-Users mailing list