On 02/16/2015 04:23 PM, Reindl Harald wrote:
"The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order:
Issuing CA cert Issuing CA CRL Intermediate CA cert Intermediate CA CRL Root CA cert Root CA CRL"that is how you can and should build your PEM files for *every* SSL ^^^^^^^ aware software
NACK. I have set up CentOS 6 servers a little more than two years ago with that format used for dovecot and OpenVPN, including verification that the functionality was there. Last month we had a need to revoke a client's certs and it turned out that OpenVPN had silently stopped honoring the CRLs somewhere along the update path (dovecot still enforces them). I had to QuickFix the OpenVPN config from the above monolithic file over to a CApath
https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#notes
to successfully lock the disgraced client out.
Regards, J. Bern
*NEU* - NEC IT-Infrastruktur-Produkte im http://www.linworks-shop.de/: Server--Storage--Virtualisierung--Management SW--Passion for Performance Jochen Bern, Systemingenieur --- LINworks GmbH http://www.LINworks.de/ Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel