how to disable crlDistributionPoints extension?
Stefan Winter
stefan.winter at restena.lu
Thu Mar 17 16:04:34 CET 2016
Hi,
> I'll use CRL. But let me confirm.Sorry for my basic question though, how can I make CRL on FR3.0.10?
> As for certification, I used script like ca.cnf and server.cnf.# Because I cared about IOT (between FR and certification), so I used scripts.As for CRL, is it to use "openssl ca -gencrl" command? No script for it? (I couldn't find out the script.)
Sorry; you are right, generation is with "openssl ca -gencrl". There's
not much scripting needed besides that one single command. The
parameters may need a bit of tuning and the Makefile *could* make this
easier probably.
Stefan
> Regards,
>
>
> On Thursday, 17 March 2016, 23:19, Stefan Winter <stefan.winter at restena.lu> wrote:
>
>
> Hi,
>
>> I have a problem that crlDistributionPoints is included in server certification.This forces clients to check CRL via http.For the sake of simplicity for my setup, I don't want clients to check CRL via HTTP.# checking CRL stored in clients locally is enough (e.g. in StrongSwan, ipsec.d/crls/)
>> I deleted the following parameter in ca.cnf (I'm using FR3.0.10)[v3_ca]subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always,issuer:alwaysbasicConstraints = critical,CA:truecrlDistributionPoints = URI:http://www.example.org/example_ca.crl <<< HERE
>> I performed "make ca.pem"Then I made server certification and CDP is included as follows:openssl x509 -text -noout -in server.pemCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=JP, ST=Tokyo, L=XXX, O=XXX/emailAddress=XXX at XXX, CN=FR-CA Validity Not Before: Mar 16 15:02:23 2016 GMT Not After : Mar 11 15:02:23 2036 GMT Subject: C=JP, ST=Tokyo, O=XXX, CN=FR-Svr/emailAddress=XXX at XXX(snip) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: <<< HERE!!! Full Name: URI:http://www.example.com/example_ca.crl
>> My idea is wrong?
>
> You can stop including crlDPs by commenting out the lines in the config.
>
> Some OSes require this property in server certs. If you omit it, your
> cert will not be good enough on those OSes.
>
> I don't think you really *want* local CRLs on clients. CRLs typically
> have a very short lifetime (like: expire every 2 weeks), so you'd have
> to manually feed your clients with new CRLs every so often.
>
> Greetings,
>
> Stefan Winter
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160317/d66d4bd4/attachment-0001.sig>
More information about the Freeradius-Users
mailing list