Absent Member.
Absent Member.

CA Certificate Authority CRL Distribution Points hel


I am far from an SSL certficate expert but I generally understand how everything works since we have to manually re-key the servers yearly.

Here is my problem. The default CRL distribution points don't seem to work. My CA has moved to a new server, it is up and running with the original key imported that doesn't expire for a long time. I have a CRL created which is recreating itself automatically and the file exists where it is set to be created. /var/opt/novell/eDirectory/data/dib/SYS:apache2/htdocs/crl

This is on the latest version of an OES 11 server hosting my CA.

Now since my set to defaults -
ldap://localCAIP:389/CN=CRL_1,CN=CRL_1 - Configuration,CN=CRL Container,CN=Security
ldap://server2.domain.com:389/CN=CRL_1,CN=CRL_1 - Configuration,CN=CRL Container,CN=Security

I assume that the LDAP ones will not work as LDAP is set to only accept TLS, which would require ldaps: 636 port. You seem to specify LDAPS(636) as a CRL distribution point. So I assume I should delete the two LDAP entries.

So that leaves HTTP as the option for handing out the CRL to other servers that need to verify their certificates. The problem is that apparently the defaults do not work. /var/opt/novell/eDirectory/data/dib/SYS:apache2/htdocs/crl/CRL_1.crl does not correspond to http://localCAIP:80/crl/CRL_1.crl. Otherwise, I'd assume that I would be able to enter it into a web browser and get some positive response vs a URL not found error.

Here is my rudimentary problem/question - what location do I need to copy the CRL to in order to refer to it as http://localCAIP:80/crl/CRL_1.crl? I'd assume a sub-container of the location of the welcome page but I could use a swift kick to the cranium to get the distribution point to work from the CA server. Then I can script the copy of the new CRL to that location.

Until then all my certificates on other servers that need to be rekeyed, validated, and then copied using the nice Cool Solutions script are on hold.

Please help me understand where I can host my CRL on the local OES 11 server with Apache2 and refer to it via URL. Thank you.
Labels (2)
3 Replies
Knowledge Partner
Knowledge Partner

Re: CA Certificate Authority CRL Distribution Points hel

Working backward:

What service is binding TCP 80? I presume Apache httpd, but I do not know
that, or have an OES 11 box that is likely to be configured like yours.
Which services do you have on yours that may use HTTP?

If you find what is bound (if anything) to TCP 80, for example using the
following command:

ss -planeto | grep :80 | grep 'LISTEN '

then next you can look at that service's configuration to see where it may
look for files, specifically for a /crl directory when accessed as the
'localCAIP' server. If this is just normal Apache httpd stuff, I'd look
under /srv/www/htdocs for the 'crl' directory and the contained CRL_1.crl
file. SLES uses this location (/srv/www/htdocs) as the DocumentRoot by
default, so URLs are relative to that location.

If something else is listening on TCP 80, then we'll need to figure out
where it looks for files in a similar way.

While doing that, which applications do you have that actually check CRLs?

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
Absent Member.
Absent Member.

Re: CA Certificate Authority CRL Distribution Points hel

Thanks, this is a default OES 11 setup with the Novell welcome page still in place. So using the information that /srv/www/htdocs is actually utilized by Apache even though there is no index.html there and the Novell welcome pages are located elsewhere. I created a crl directory until /srv/www/htdocs, copied the crl file there and set the correct access rights. Now the URL works and can be used as a CRL distribution point.

The iManager certificate manager uses the CRL to confirm the validity of the certificates. Otherwise, it throws a CRL decode error. So by having a valid CRL distribution point certificates are able to be validated.

I appreciate the help by pointing to the fact tjhat teh /srv/www/htdocs is indeed active even though the welcome page isn't hosted there.

It seems like this should be set up to work immediately after installation. We shouldn't have to manually create this folder and make a script to copy the file over

Absent Member.
Absent Member.

Re: CA Certificate Authority CRL Distribution Points hel

If you don't mind my asking, how did you get the CRL_1.crl file created in the first place? My CA expires Friday, we've been working on this issue for about two weeks now scouring the forums & documentation trying to figure out what we are doing wrong. I've deleted the CA and the crl info from eDirectory, when I use the wizard to create a new CA the wizard completes however I never see any file CRL_1.crl created *anywhere*...

So far the only luck I have to get valid certificates is to create a new CA and *not* use the default answer when creating it, thus allowing me to de-select the CRL creation at the last step. I can then go in and repair default certificates for all my servers and they show valid.

Considering I have figured out how to get valid certificates I almost wonder if I shouldn't just leave well enough alone, but I'd sure like to have the ability to revoke a cert (for what little out there that pays attention to it) if necessary I just cannot seem to get the wizard to create the file in the first place for me to move to the proper spot.

Seems like Micro Focus (Novell) has a bit more work to do on this aspect of certificate management.

Never share a foxhole with anyone braver than yourself.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.