4

I have generated Self-Signed Certificate, Root-CA Signed by Root-CA

Then, Intermediate-CA Signed by Root-CA and Server Signed by Intermediate-CA

The certificates as given below:

Root-CA  ->  Intermediate-CA  ->  Server

Root-CA:
rootca.key
rootca.crt
rootca.crl

Intermediate-CA:
intermediateca.key
intermediateca.crt
intermediateca.crl

Server:
server.key
server.crt

Nginx conf:

server {
        listen 443 ssl;
        listen [::]:443 SSL;
        server_name www.example.com;

        ssl_certificate  /home/user/confs/server+intermediateca.crt;
        ssl_certificate_key /home/user/confs/server.key;

        ssl_ocsp on;
        ssl_crl /home/user/confs/intermediateca+rootca.crl;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /home/user/confs/intermediateca+rootca.crt;
}

Using this configure, If I revoke server.crt OCSP Response shows certificate is Revoked and Firefox Browser shows error of revoked certificate but in the Google Chrome and Microsoft Edge browser there is no warning, I am getting access with the revoked certificate, why? What is going wrong? Google Chrome uses CRLsets, how can I configure in a proper way? Can anyone please help me with this?

Is there any proper way to config that will show error revoked certificate in Google Chrome and Microsoft Edge? How to add revoked certificat in CRLsets?

Using the below command, I am getting an error:

openssl verify -extended_crl -crl_check_all -crl_download -CAfile intermediateca+rootca.pem -verbose server.crt

Output:

Unable to load CRL via CDP
40971A29A97F0000:error:1E80006E:HTTP routines:OSSL_HTTP_REQ_CTX_nbio:missing asn1 encoding:../crypto/http/http_client.c:755:
40971A29A97F0000:error:1E800067:HTTP routines:OSSL_HTTP_REQ_CTX_exchange:error receiving:../crypto/http/http_client.c:874:server=http://www.example.com:80
C = BD, ST = Dhaka, O = Example, CN = www.example.com
error 3 at 0 depth lookup: unable to get certificate CRL
error server.crt: verification failed

What is the above error I am getting? How can I fix that error?

Thank you for your time.

soup
  • 76
  • 4

1 Answers1

3

Firefox checks CRLs, whereas Chrome/Chromium/Edge does not. The latter use CRLSets instead.

There is a good table at the bottom of this article. However it's 18 months old, and as browser security is a moving target, by the time you read it things may have changed :-)

OpenSSL does check CRLs, which is why the revocation checks work for you there.

garethTheRed
  • 4,539
  • 14
  • 22
  • This is not I am asking for. See the question above, please. – soup Aug 20 '22 at 02:40
  • From the linked page: _The Chromium source code that implements CRLSets is, of course, public. But the process by which they are generated is not._ That says to me that you cannot simply add your own certificates to the CRLSets. – garethTheRed Aug 20 '22 at 06:12
  • Any idea about the error `unable to get certificate CRL` it is not working with `crl_download`. – soup Aug 20 '22 at 12:58
  • What have you got as the CRL Distribution Point in your intermediate CA and server certificates? It should be an URL pointing to the relevant CRL. – garethTheRed Aug 20 '22 at 16:25
  • In Root-CA cert's `crlDistributionPoints` to `rootca.crl`. In Intermediate-CA cert's `crlDistributionPoints` to `intermediateca.crl`. Server cert's `crlDistributionPoints` to `intermediateca.crl`. – soup Aug 20 '22 at 17:18
  • How does it point? What scheme? HTTP? LDAP? FTP? https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.13 – garethTheRed Aug 20 '22 at 19:08
  • `crlDistributionPoints=URI:http://www.example.com/crl/intermediateca.crl` – soup Aug 20 '22 at 19:17
  • And is your CRL downloadable from that URL? `curl http://www.example.com/crl/intermediateca.crl` – garethTheRed Aug 20 '22 at 20:12
  • Yes, it is downloadable. `curl http://www.example.com/crl/intermediateca.crl` – soup Aug 21 '22 at 02:05
  • And the root CRL? Please note that Server Fault isn't a site where others do your basic investigation work for you. It is a site for _professional_ IT admins. – garethTheRed Aug 21 '22 at 05:37
  • Both `http://www.example.com/crl/rootca.crl` and `http://www.example.com/crl/intermediateca.crl` are downloadable. I am here just trying to find the solution. This is not a basic problem. If you ask me basic questions then the answers will be basic. Ask all your questions in one comment, don't make sub section. Note: `This comment section looks like a chat section, not behave like professional IT admins`, please try to maintain. – soup Aug 21 '22 at 11:32
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/138667/discussion-between-soup-and-gareththered). – soup Aug 21 '22 at 11:32