EAP-TLS CRL problem - a PKIX guru around?
tsouk
tsouk.n at gmail.com
Wed Jan 20 16:12:06 CET 2016
Hi Stefan,
Had some CRL problems back in the day, with Apache 2.2 and Apache 2.4
behaving differently (I believe the change is in Apache 2.3, and I will
have a whole blog post about this in the BBC internet blog soon).
Have a look at the RFC (), under "6.3.3. CRL Processing", specifically:
(b) Verify the issuer and scope of the complete CRL as follows:
...
(2) If the complete CRL includes an issuing distribution point
(IDP) CRL extension, check the following:
(i) If the distribution point name is present in the IDP
CRL extension and the distribution field is present in
the DP, then verify that one of the names in the IDP
matches one of the names in the DP. If the
distribution point name is present in the IDP CRL
extension and the distribution field is omitted from
the DP, then verify that one of the names in the IDP
matches one of the names in the cRLIssuer field of the
DP.
So I think this, in your CRL:
X509v3 Issuing Distrubution Point:
Full Name:
URI:https://www.restena.lu/restena-staffauth.crl
...and this in your Cert...
X509v3 CRL Distribution Points:
Full Name:
URI:https://www.restena.lu/ca/restena-root.crl
...might have to match.
Let me know if this helps!
Nikos
More information about the Freeradius-Users
mailing list