Andrei Borzenkov wrote:
On Thu, Oct 20, 2016 at 1:09 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Bjoern Voigt wrote:
# ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates I found, that "update-ca-certificates" remove the manually created link. Not good. Unfortunately also "chattr +i" does not help here to keep the link intact:
# sudo lsattr /var/lib/ca-certificates/openssl/49742892.r0 lsattr: Operation not supported While reading flags on /var/lib/ca-certificates/openssl/49742892.r0 Anyway I see the next error, if I link after "update-ca-certificates": # openssl verify -crl_check_all MY-CA.crt TGM-VPN-CA.crt: CN = My CA error 12 at 0 depth lookup:CRL has expired OK Even this OpenSSL error is mostly undocumented. It may be a problem related to Easyrsa3.
Oh, joy of relying on undocumented tools using undocumented utilities ...
TL;DR - it is not possible :)
openSUSE is using p11-kit to manage certificates and p11-kit currently simply does not support CRL (I would love to be proven wrong). There are ideas about providing common revocation cache, but this link has "no source available" as of now.
I tried to chain root certificate with CRL but it does not work either - p11-glue trust module does not blindly copy certificate file, but rather extracts certificate and creates new file. Oh, one of the most secure OS does not support system-wide CRLs ...
Andrei, is there a known bug report upstream or in openSUSE?
OTOH what is the purpose of storing CRL for openssl? If you intend to use this CA for web sites, browsers usually request CRL themselves? I have an internal CA. The Owncloud client which is a Qt application has no own configuration for root certificates and CRLs AFAIK. Owncloud recognizes the root certificate but would probably accept revokes certificates. There are other client and server application which also would profit from a system-wide certificate setup.
Of course also the distribution which recent updates of CRL files to many clients is an unsolved problem. For some users OSCP may be an option, but an OSCP setup is probably to much for my relatively small network. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org