how to disable crlDistributionPoints extension?
Hi, I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/) I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX@XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX@XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl My idea is wrong? Regards,
Hi,
I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/) I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX@XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX@XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl My idea is wrong?
You can stop including crlDPs by commenting out the lines in the config. Some OSes require this property in server certs. If you omit it, your cert will not be good enough on those OSes. I don't think you really *want* local CRLs on clients. CRLs typically have a very short lifetime (like: expire every 2 weeks), so you'd have to manually feed your clients with new CRLs every so often. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Thanks, Stefan I'll use CRL. But let me confirm.Sorry for my basic question though, how can I make CRL on FR3.0.10? As for certification, I used script like ca.cnf and server.cnf.# Because I cared about IOT (between FR and certification), so I used scripts.As for CRL, is it to use "openssl ca -gencrl" command? No script for it? (I couldn't find out the script.) Regards, On Thursday, 17 March 2016, 23:19, Stefan Winter <stefan.winter@restena.lu> wrote: Hi,
I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/) I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX@XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX@XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl My idea is wrong?
You can stop including crlDPs by commenting out the lines in the config. Some OSes require this property in server certs. If you omit it, your cert will not be good enough on those OSes. I don't think you really *want* local CRLs on clients. CRLs typically have a very short lifetime (like: expire every 2 weeks), so you'd have to manually feed your clients with new CRLs every so often. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"openssl crl" and then -help takes you from there :-) Stefan Am 17.03.2016 um 15:35 schrieb yukou katori:
Thanks, Stefan I'll use CRL. But let me confirm.Sorry for my basic question though, how can I make CRL on FR3.0.10? As for certification, I used script like ca.cnf and server.cnf.# Because I cared about IOT (between FR and certification), so I used scripts.As for CRL, is it to use "openssl ca -gencrl" command? No script for it? (I couldn't find out the script.) Regards,
On Thursday, 17 March 2016, 23:19, Stefan Winter <stefan.winter@restena.lu> wrote:
Hi,
I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/) I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX@XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX@XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl My idea is wrong?
You can stop including crlDPs by commenting out the lines in the config.
Some OSes require this property in server certs. If you omit it, your cert will not be good enough on those OSes.
I don't think you really *want* local CRLs on clients. CRLs typically have a very short lifetime (like: expire every 2 weeks), so you'd have to manually feed your clients with new CRLs every so often.
Greetings,
Stefan Winter
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hi,
I'll use CRL. But let me confirm.Sorry for my basic question though, how can I make CRL on FR3.0.10? As for certification, I used script like ca.cnf and server.cnf.# Because I cared about IOT (between FR and certification), so I used scripts.As for CRL, is it to use "openssl ca -gencrl" command? No script for it? (I couldn't find out the script.)
Sorry; you are right, generation is with "openssl ca -gencrl". There's not much scripting needed besides that one single command. The parameters may need a bit of tuning and the Makefile *could* make this easier probably. Stefan
Regards,
On Thursday, 17 March 2016, 23:19, Stefan Winter <stefan.winter@restena.lu> wrote:
Hi,
I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/) I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX@XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX@XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl My idea is wrong?
You can stop including crlDPs by commenting out the lines in the config.
Some OSes require this property in server certs. If you omit it, your cert will not be good enough on those OSes.
I don't think you really *want* local CRLs on clients. CRLs typically have a very short lifetime (like: expire every 2 weeks), so you'd have to manually feed your clients with new CRLs every so often.
Greetings,
Stefan Winter
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
OK, thanks, Stefan! Regards, On Friday, 18 March 2016, 0:05, Stefan Winter <stefan.winter@restena.lu> wrote: Hi,
I'll use CRL. But let me confirm.Sorry for my basic question though, how can I make CRL on FR3.0.10? As for certification, I used script like ca.cnf and server.cnf.# Because I cared about IOT (between FR and certification), so I used scripts.As for CRL, is it to use "openssl ca -gencrl" command? No script for it? (I couldn't find out the script.)
Sorry; you are right, generation is with "openssl ca -gencrl". There's not much scripting needed besides that one single command. The parameters may need a bit of tuning and the Makefile *could* make this easier probably. Stefan
Regards,
On Thursday, 17 March 2016, 23:19, Stefan Winter <stefan.winter@restena.lu> wrote:
Hi,
I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/) I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX@XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX@XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl My idea is wrong?
You can stop including crlDPs by commenting out the lines in the config.
Some OSes require this property in server certs. If you omit it, your cert will not be good enough on those OSes.
I don't think you really *want* local CRLs on clients. CRLs typically have a very short lifetime (like: expire every 2 weeks), so you'd have to manually feed your clients with new CRLs every so often.
Greetings,
Stefan Winter
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Stefan Winter -
yukou katori