2

I am using Debian Linux on several machines with different services (Apache, Freeradius, etc...) together with a Windows Server 2008R2 CA. I install the CA certificate by downloading it to /usr/local/share/ca-certificates and then calling update-ca-certificates.

How can I keep the corresponding revocation list up to date too in order for the services to reject revoked client certificates? I found the fetch-crl utility, but couldn't find any examples how to use it.

terminal
  • 41
  • 3
  • Do you want the crl to work on browsers? Firefox and Chrome will manage this themselves... – Zip Nov 09 '17 at 11:52
  • 1
    No, I want the CRL to be used by services like Apache or Freeradius for client certificate validation. – terminal Nov 09 '17 at 13:07
  • 1
    There is no system facility that updates crls automatically, nor could it support all services. A suggestion would be to create a simple bash script to download a crl periodically and perform the required adaptations according to the way your services are configured (I can hardly even assume the paths where your configs point at). Such script can run scheduled on from. Add your services configurations related to certificate verification and I may be able to provide you with a template of such script. – Zip Nov 09 '17 at 17:34
  • 1
    I was hoping there would be a framework in Debian like for the root CAs (i.e. /usr/local/share/ca-certificates + update-ca-certificates). Also I was hoping there would be a utility (fetch-crl?) that can parse the distribution points in certificates and download them depending on the URL. However, seems like I have to roll my own solution. Thanks for the help (I can't upvote as it is not an answer but a comment)! – terminal Nov 10 '17 at 09:16
  • 1
    You can use fetch-crl on your script, however its input will not be the certificates themselves, so you still need to do some work parsing certs. Someone may still have a solution for you, leave your answer upvote to him and also you will be able to upvote a comment later... – Zip Nov 10 '17 at 09:50

0 Answers0