Client certificate revocation is not working

Tue, 02 Oct 2012 04:40:07 -0700 

Hello colleagues!

 

I need help with revocation of client certificate in OpenSSL (v 0.9.8n).

I have setup a CA with self-signed certificate so I can generate and sign
client certificates which are used to access squid, which in turn forwards
traffic to exchange server.

In squid.conf file there is this line which is responsible for asking client
certificate:

 

##

clientca=/root/sslCA/cacert.pem capath=/root/sslCA

##

 

/root/sslCA/cacert.pem is CA certificate.

 

I also created a crl.pem in /root/sslCA/crls/ for certificate revocation.

 

The situation is as follows:

 

If a client connects without having a client certificate installed it gets
error (Error code: ssl_error_handshake_failure_alert), and no connection is
established.

If the certificate generated with OpenSSL CA is installed on the client then
it can connect to the server.

So far so good.

 

Now I want to disallow one client to connect to the server.

 

I revoke the certificate:

# openssl ca -revoke username.crt

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for /root/sslCA/private/cakey.pem:

Revoking Certificate 1003.

Data Base Updated

 

Update crl:

# openssl ca -gencrl -out /root/sslCA/crls/crl.pem

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for /root/sslCA/private/cakey.pem:

 

 

I check to see if the certificate is revoked:

# openssl crl -in /root/sslCA/crls/crl.pem -noout -text

Certificate Revocation List (CRL):

        Version 2 (0x1)

        Signature Algorithm: xxxxxx

        Issuer: xxxxxx

        Last Update: Oct  1 22:04:24 2012 GMT

        Next Update: Sep 29 22:04:24 2022 GMT

        CRL extensions:

            X509v3 CRL Number:

                4098

Revoked Certificates:

    Serial Number: 1003

        Revocation Date: Oct  1 22:02:32 2012 GMT

 

 

It shows that certificate 1003 is revoked.

 

Now I try to connect to the server with this client's certificate and the
connection establishes just fine.. How is it possible???

I thought if you revoke a certificate it won't be accepted by CA anymore??
but in my case it is accepted even though CA shows certificate's status as
revoked.

How can I prohibit/invalidate the certificate of the client so it cannot
connect to the server anymore?

 

Thank you in advance for any helpful suggestions 

Yuriy

Reply via email to