Saturday, May 16, 2015

ssl - Apache 2.2.14: SSLCARevocation location

I am installing a .crl in my apache config. It looks like this:



VirtualHost default



DocumentRoot "web"
ServerName example.com




SSLEngine on



SSLCertificateFile "cert.crt"
SSLCertificateKeyFile "key.key"
SSLCertificateChainFile "cert.ca-bundle"



SSLProtocol -all +SSLv3
SSLCipherSuite SSLv3:+HIGH:+MEDIUM




Directory



Order deny,allow
Allow from all



SSLCACertificateFile "ClientRootCert.crt"



SSLVerifyClient require
SSLVerifyDepth 3




SSLCARevocationFile "CRLList.crl"



Directory



VirtualHost



When Apache is started, I get the error:



SSLCARevocationFile not allowed here




When I place SSLCARevocationFile above the Directory tag, Apache starts, but all client certs are rejected with the message:



ssl_error_expired_cert_alert (both revoked and active certs)



How to solve this?

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...