Validating client certificate against CRL

Hi,
My Nginx is setup for Mutual SSL and it works well for the below
nginx
configuration.
Hierarchy of certificates is RootCA
******************************** |
******************************** V
************************** IntermediateCA
******************************** |
******************************** V
***********************ClientCert ServerCert

    listen       80;
    listen 443 ssl;
    server_name localhost;

   ssl_certificate serverCert.pem;
   ssl_certificate_key serverKey.key;
   ssl_client_certificate RootCA.pem;
   ssl_verify_client on;
   ssl_verify_depth 2;

But If I add ‘ssl_crl RootCACRL.pem’ or ‘ssl_crl IntermediateCRL.pem’ to
above configuration, I see the below error. By the way, RootCACRL.pem
and
IntermediateCRL.pem files doesn’t have any revoked certificates.

                                                       400 Bad 

Request

                                                   The SSL 

certificate
error

nginx/1.6.2

Can you please help me in this.

Regards,
Sandeep

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,255448,255448#msg-255448

Hello!

On Thu, Dec 11, 2014 at 02:03:35PM -0500, sandeepkolla99 wrote:

But If I add ‘ssl_crl RootCACRL.pem’ or ‘ssl_crl IntermediateCRL.pem’ to
above configuration, I see the below error. By the way, RootCACRL.pem and
IntermediateCRL.pem files doesn’t have any revoked certificates.

400 Bad Request

The SSL certificate error

nginx/1.6.2

The “ssl_crl” should contain CRLs for all certificates in the
chain, that is, both RootCA and IntermediateCA in your case.
There should be a message in the error log (at “info” level)
explaining what’s wrong.

Just combining IntermediateCRL.pem and RootCACRL.pem into a single
file and using it in the “ssl_crl” directive should fix this.


Maxim D.
http://nginx.org/

We’re in a similiar situation, but with many intermediate CAs and root
CAs
for all the possible client certificates we accept.
We have all of these concatenated into a single file for the
ssl_client_certificate directive.

We have CRLs for some of these and not for others.

Is there any way we configure nginx so it will honour the ones we have,
without requiring us to have a CRL for all of them?
We’ve tried combining the ones we have into a single file, and using
that in
the ssl_crl directive, but it still gives us a 400 Bad Request error.

With apache we were able to specify the directory they are all in, and
have
it process the ones we have.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,255448,257227#msg-257227

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs