search for: crl

...so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is signing the clients certificates. Now, I am testing Certificate Revocation Lists, but apache keeps saying: "Invalid signature on CRL" I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem Using configuration from openssl.conf Enter pass phrase for cassl/private/cassl.key: Revoking Certificate 02. Data Base Updated $ openssl ca -config openssl.conf -name CA_ssl_default -genc...

Hello, As far as I can read in the Dovecot SSL configuration wiki page, each CA cert must be followed by the related CA CRL in the client certificate verification context ("ssl_ca_file" setting). In my company we do have our own PKI and as soon as Client certificate is compromised we do revoke it and update the related CA's CRL. Does that mean that I have to issue a new "ssl_ca_file" file as s...

Unfortunately this does not work. Example: Yes, when i give it a few Days, the client will retrieve the actual crl faster. But the auth still works. I have tried it. I revoked an cert. Installed a new win10 client and joined the domain. After login with the revoked p12 cert on a yubikey, i can see he queries the CDP and still allows the login. With certutil and a cert in DER format, i tried this: certutil...

Hi, I have a smartcard which is revoked in the Certificate Revocation List (CRL) but I can still login. Seams like the CRL check is not performed. Any known bug around this? Server setup: - Samba 4.4 on Debian as AD DC - Created domain MYDOM - smb.conf (extract): tls enabled = yes tls crlfile = tls/mycrl.pem (default is to look under private/ folder) Client setup: -...

...ty Ltd]:Ebalaskas.Gr # Organizational Unit Name (eg, section) []:Mail Apps # Common Name (eg, YOUR name) []:myhome # Email Address []:ebalaskas at ebalaskas.gr openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key \ -name "dovecot Certificate Client" -out dovecot.p12 openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out dovecot.crl -selfsign I've imported the dovecot.p12 to thunderbird certificates and dovecot.crt to thunderbird authorities (i've tried claws mail too - same errors) My dovecot.conf is this: [root at myhome dovecot]# dovecot -n # 1.2.2: /usr/loc...

...S client certificate instead of a password. So I searched and found this wiki page: <https://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication> But that Wiki page says: > The CA file should contain the certificate(s) followed by the matching > CRL(s). Note that the CRLs are required to exist. I have now messed three hours or so with OpenSSL to get a CRL generated for my self-signed certificate, but I can't get that to work (the problem appearently being that OpenSSL doesn't play well with private keys on smartcards). It doesn't...

...[kdc] section though, I can try again. Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > Hi, > > I have a smartcard which is revoked in the Certificate Revocation List > > (CRL) but I can still login. Seams like the CRL check is not performed. > Any > > known bug around this? > > > > Server setup: > > - Samba 4.4 on Debian as AD DC > > - Created domain MYDOM > > - smb.conf (extract): > > tls enabled = yes > > tls...

https://bugzilla.mindrot.org/show_bug.cgi?id=2328 Bug ID: 2328 Summary: Per-user certificate revocation list (CRL) in authorized_keys Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at m...

...cot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: Issuing CA cert Issuing CA CRL Intermediate CA cert Intermediate CA CRL Root CA cert Root CA CRL" On 2015/2/16 06:42, Wolfgang Gross wrote: > On 16 Feb 2015 a...

...6-i386]# puppet agent --test Info: Caching certificate for Info: Caching certificate_revocation_list for ca Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=hostname Info: Retrieving plugin Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using ''eval_generate'': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet...

...Which option must be in the krb5.conf? I have tried kdc_pkinit_revoke and pkinit_revoke. Both have no effect. Am 19.07.2023 um 14:27 schrieb Hans Schulze via samba: > Unfortunately this does not work. > > Example: Yes, when i give it a few Days, the client will retrieve the > actual crl faster. But the auth still works. > > I have tried it. I revoked an cert. Installed a new win10 client and > joined the domain. After login with the revoked p12 cert on a yubikey, > i can see he queries the CDP and still allows the login. > > With certutil and a cert in DER form...

Hi I'm trying to use dovecot with client certificates. We produce our certificates with our on CA and we do NOT use certificate revocation lists. So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source. My impression is that openssl will always try to use CRLs. If "ssl_require_crl = no" dovecot will use CRLs but tries to ignore openssl error codes X509_...

On 2015/2/16 16:28, Jochen Bern wrote: > On 02/16/2015 04:23 PM, Reindl Harald wrote: >>> "The CA file should contain the certificate(s) followed by the >>> matching CRL(s). Note that the CRLs are required to exist. For a >>> multi-level CA place the certificates in this order: >>> >>> Issuing CA cert >>> Issuing CA CRL >>> Intermediate CA cert >>> Intermediate CA CRL >>> Root C...

...in. > > Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > > Hi, > > > I have a smartcard which is revoked in the Certificate Revocation > > > List (CRL) but I can still login. Seams like the CRL check is not > > > performed. > > Any > > > known bug around this? > > > > > > Server setup: > > > - Samba 4.4 on Debian as AD DC > > > - Created domain MYDOM > > > - smb.conf (extract):...

hello, I made a modification to ssl-proxy-openssl.c (patch attached) zo that it a) disconnects when no client certificate is presented b) checks the client certificate against the crl for our root cert. (so you can't use a revoked client cert.) c) returns the CommonName from the client cert. in ssl_proxy_get_peer_name (this way it's easier to use dovecot as imap-proxy with a passwd-like userdb, ssl_require_client_cert and ssl_username_from_cert, it "binds"...

...gt; </div> <div> But that Wiki page says: </div> <div> <br> </div> <blockquote type="cite"> <div> The CA file should contain the certificate(s) followed by the matching </div> <div> CRL(s). Note that the CRLs are required to exist. </div> </blockquote> <div> I have now messed three hours or so with OpenSSL to get a CRL generated </div> <div> for my self-signed certificate, but I can't get that to work (the </div>...

...p. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > > > > > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > > > Hi, > > > > I have a smartcard which is revoked in the Certificate Revocation > > > > List (CRL) but I can still login. Seams like the CRL check is not > > > > performed. > > > Any > > > > known bug around this? > > > > > > > > Server setup: > > > > - Samba 4.4 on Debian as AD DC > > > > - Created domain MYDOM &g...

Thanks for the note. I had never seen anything in the postfix and apache documentation that the CRLs could be intermingled with the CRTs in the CRT file. The documentation for those programs suggests putting the CRLs in a separate file (e.g. apache SSLCARevocationFile) or doesn't talk about putting CRLs in with the certs (e.g. postfix smtpd_tls_cert_file). If it works to put them all in one f...

Is there a reason that CRL is required to exist in the ssl_ca_file? Could it just use it only if it's there, but otherwise ignore it? Or is this a bad idea? Is it even possible at all to tell that to OpenSSL? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: applicat...

...and intermediate ca? I followed the HowTo from the Samba Wiki, but there is only explained how you use with only a root ca. Then i tried it myself. I created a intermediate ca and some certs for the dc and user. But, i always ran into: NT_STATUS_PKINIT_FAILURE Yes, i have paid attention to the CRL Distribution Points and that also the clients have connection to them. But the authentication fails. With log level = 9 i found this... |../../source4/auth/kerberos/krb5_init_context.c:90(smb_krb5_debug_wrapper) Kerberos: PKINIT request but PKINIT not enabled | Is there another Trigger to ena...