search for: crl

Displaying 20 results from an estimated 355 matches for "crl".

Did you mean: cl
2009 Nov 04
2
Certificates Revocation Lists and Apache...
...so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is signing the clients certificates. Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL" I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem Using configuration from openssl.conf Enter pass phrase for cassl/private/cassl.key: Revoking Certificate 02. Data Base Updated $ openssl ca -config openssl.conf -name CA_ssl_default -genc...
2009 Mar 13
1
how to handle CA CRL updates with client certificate verification context ?
Hello, As far as I can read in the Dovecot SSL configuration wiki page, each CA cert must be followed by the related CA CRL in the client certificate verification context ("ssl_ca_file" setting). In my company we do have our own PKI and as soon as Client certificate is compromised we do revoke it and update the related CA's CRL. Does that mean that I have to issue a new "ssl_ca_file" file as s...
2023 Jul 19
1
Samba 4 AD SmartCard Authentication Problem
Unfortunately this does not work. Example: Yes, when i give it a few Days, the client will retrieve the actual crl faster. But the auth still works. I have tried it. I revoked an cert. Installed a new win10 client and joined the domain. After login with the revoked p12 cert on a yubikey, i can see he queries the CDP and still allows the login. With certutil and a cert in DER format, i tried this: certutil...
2017 Sep 21
2
Revocation with CRL doesn't work for smartcards
Hi, I have a smartcard which is revoked in the Certificate Revocation List (CRL) but I can still login. Seams like the CRL check is not performed. Any known bug around this? Server setup: - Samba 4.4 on Debian as AD DC - Created domain MYDOM - smb.conf (extract): tls enabled = yes tls crlfile = tls/mycrl.pem (default is to look under private/ folder) Client setup: -...
2009 Jul 30
1
Dovecot with SSL Client Certification
...ty Ltd]:Ebalaskas.Gr # Organizational Unit Name (eg, section) []:Mail Apps # Common Name (eg, YOUR name) []:myhome # Email Address []:ebalaskas at ebalaskas.gr openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key \ -name "dovecot Certificate Client" -out dovecot.p12 openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out dovecot.crl -selfsign I've imported the dovecot.p12 to thunderbird certificates and dovecot.crt to thunderbird authorities (i've tried claws mail too - same errors) My dovecot.conf is this: [root at myhome dovecot]# dovecot -n # 1.2.2: /usr/loc...
2019 Jun 16
2
Self-signed TLS client certificates
...S client certificate instead of a password. So I searched and found this wiki page: <https://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication> But that Wiki page says: > The CA file should contain the certificate(s) followed by the matching > CRL(s). Note that the CRLs are required to exist. I have now messed three hours or so with OpenSSL to get a CRL generated for my self-signed certificate, but I can't get that to work (the problem appearently being that OpenSSL doesn't play well with private keys on smartcards). It doesn't...
2017 Sep 21
2
Revocation with CRL doesn't work for smartcards
...[kdc] section though, I can try again. Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > Hi, > > I have a smartcard which is revoked in the Certificate Revocation List > > (CRL) but I can still login. Seams like the CRL check is not performed. > Any > > known bug around this? > > > > Server setup: > > - Samba 4.4 on Debian as AD DC > > - Created domain MYDOM > > - smb.conf (extract): > > tls enabled = yes > > tls...
2014 Dec 22
4
[Bug 2328] New: Per-user certificate revocation list (CRL) in authorized_keys
https://bugzilla.mindrot.org/show_bug.cgi?id=2328 Bug ID: 2328 Summary: Per-user certificate revocation list (CRL) in authorized_keys Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at m...
2015 Feb 16
2
/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
...cot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: Issuing CA cert Issuing CA CRL Intermediate CA cert Intermediate CA CRL Root CA cert Root CA CRL" On 2015/2/16 06:42, Wolfgang Gross wrote: > On 16 Feb 2015 a...
2013 Nov 01
1
HELP!!! puppet-enterprise-3.1.0-el-6-i386 master/agent test fails
...6-i386]# puppet agent --test Info: Caching certificate for Info: Caching certificate_revocation_list for ca Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=hostname Info: Retrieving plugin Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using ''eval_generate'': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet...
2023 Jul 20
1
Samba 4 AD SmartCard Authentication Problem
...Which option must be in the krb5.conf? I have tried kdc_pkinit_revoke and pkinit_revoke. Both have no effect. Am 19.07.2023 um 14:27 schrieb Hans Schulze via samba: > Unfortunately this does not work. > > Example: Yes, when i give it a few Days, the client will retrieve the > actual crl faster. But the auth still works. > > I have tried it. I revoked an cert. Installed a new win10 client and > joined the domain. After login with the revoked p12 cert on a yubikey, > i can see he queries the CDP and still allows the login. > > With certutil and a cert in DER form...
2013 Apr 07
1
ssl_require_crl does not work as expected
Hi I'm trying to use dovecot with client certificates. We produce our certificates with our on CA and we do NOT use certificate revocation lists. So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source. My impression is that openssl will always try to use CRLs. If "ssl_require_crl = no" dovecot will use CRLs but tries to ignore openssl error codes X509_...
2015 Feb 17
0
/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
On 2015/2/16 16:28, Jochen Bern wrote: > On 02/16/2015 04:23 PM, Reindl Harald wrote: >>> "The CA file should contain the certificate(s) followed by the >>> matching CRL(s). Note that the CRLs are required to exist. For a >>> multi-level CA place the certificates in this order: >>> >>> Issuing CA cert >>> Issuing CA CRL >>> Intermediate CA cert >>> Intermediate CA CRL >>> Root C...
2017 Sep 21
0
Revocation with CRL doesn't work for smartcards
...in. > > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > > Hi, > > > I have a smartcard which is revoked in the Certificate Revocation > > > List (CRL) but I can still login. Seams like the CRL check is not > > > performed. > > Any > > > known bug around this? > > > > > > Server setup: > > > - Samba 4.4 on Debian as AD DC > > > - Created domain MYDOM > > > - smb.conf (extract):...
2006 May 11
0
mandatory client certificates and crl check in ssl-proxy-openssl.c
hello, I made a modification to ssl-proxy-openssl.c (patch attached) zo that it a) disconnects when no client certificate is presented b) checks the client certificate against the crl for our root cert. (so you can't use a revoked client cert.) c) returns the CommonName from the client cert. in ssl_proxy_get_peer_name (this way it's easier to use dovecot as imap-proxy with a passwd-like userdb, ssl_require_client_cert and ssl_username_from_cert, it "binds"...
2019 Jun 16
0
Self-signed TLS client certificates
...gt; </div> <div> But that Wiki page says: </div> <div> <br> </div> <blockquote type="cite"> <div> The CA file should contain the certificate(s) followed by the matching </div> <div> CRL(s). Note that the CRLs are required to exist. </div> </blockquote> <div> I have now messed three hours or so with OpenSSL to get a CRL generated </div> <div> for my self-signed certificate, but I can't get that to work (the </div>...
2017 Sep 22
2
Revocation with CRL doesn't work for smartcards
...p. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > > > > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > > > Hi, > > > > I have a smartcard which is revoked in the Certificate Revocation > > > > List (CRL) but I can still login. Seams like the CRL check is not > > > > performed. > > > Any > > > > known bug around this? > > > > > > > > Server setup: > > > > - Samba 4.4 on Debian as AD DC > > > > - Created domain MYDOM &g...
2015 Feb 16
1
/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
Thanks for the note. I had never seen anything in the postfix and apache documentation that the CRLs could be intermingled with the CRTs in the CRT file. The documentation for those programs suggests putting the CRLs in a separate file (e.g. apache SSLCARevocationFile) or doesn't talk about putting CRLs in with the certs (e.g. postfix smtpd_tls_cert_file). If it works to put them all in one f...
2006 Aug 11
0
SSL CRL checking
Is there a reason that CRL is required to exist in the ssl_ca_file? Could it just use it only if it's there, but otherwise ignore it? Or is this a bad idea? Is it even possible at all to tell that to OpenSSL? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: applicat...
2023 Jul 14
1
Samba 4 AD SmartCard Authentication Problem
...and intermediate ca? I followed the HowTo from the Samba Wiki, but there is only explained how you use with only a root ca. Then i tried it myself. I created a intermediate ca and some certs for the dc and user. But, i always ran into: NT_STATUS_PKINIT_FAILURE Yes, i have paid attention to the CRL Distribution Points and that also the clients have connection to them. But the authentication fails. With log level = 9 i found this... |../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: PKINIT request but PKINIT not enabled | Is there another Trigger to ena...