how to disable crlDistributionPoints extension?

yukou katori k10lie.tech at yahoo.co.uk
Thu Mar 17 15:35:07 CET 2016


Thanks, Stefan
I'll use CRL. But let me confirm.Sorry for my basic question though, how can I make CRL on FR3.0.10?
As for certification, I used script like ca.cnf and server.cnf.# Because I cared about IOT (between FR and certification), so I used scripts.As for CRL, is it to use "openssl ca -gencrl" command? No script for it? (I couldn't find out the script.)
Regards,
 

    On Thursday, 17 March 2016, 23:19, Stefan Winter <stefan.winter at restena.lu> wrote:
 

 Hi,

> I have a problem that crlDistributionPoints  is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/)
> I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier    = hashauthorityKeyIdentifier  = keyid:always,issuer:alwaysbasicConstraints        = critical,CA:truecrlDistributionPoints  = URI:http://www.example.org/example_ca.crl <<< HERE
> I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate:    Data:        Version: 3 (0x2)        Serial Number: 1 (0x1)    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX at XXX, CN=FR-CA        Validity            Not Before: Mar 16 15:02:23 2016 GMT            Not After : Mar 11 15:02:23 2036 GMT        Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX at XXX(snip)        X509v3 extensions:            X509v3 Extended Key Usage:                TLS Web Server Authentication            X509v3 CRL Distribution Points: <<< HERE!!!                Full Name:                  URI:http://www.example.com/example_ca.crl
> My idea is wrong?

You can stop including crlDPs by commenting out the lines in the config.

Some OSes require this property in server certs. If you omit it, your
cert will not be good enough on those OSes.

I don't think you really *want* local CRLs on clients. CRLs typically
have a very short lifetime (like: expire every 2 weeks), so you'd have
to manually feed your clients with new CRLs every so often.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  


More information about the Freeradius-Users mailing list