On 2015/2/16 16:28, Jochen Bern wrote:

On 02/16/2015 04:23 PM, Reindl Harald wrote:

...

...

"The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order:

 Issuing CA cert
 Issuing CA CRL
 Intermediate CA cert
 Intermediate CA CRL
 Root CA cert
 Root CA CRL"

that is how you can and should build your PEM files for *every* SSL ^^^^^^^ aware software

NACK. I have set up CentOS 6 servers a little more than two years ago with that format used for dovecot and OpenVPN, including verification that the functionality was there. Last month we had a need to revoke a client's certs and it turned out that OpenVPN had silently stopped honoring the CRLs somewhere along the update path (dovecot still enforces them). I had to QuickFix the OpenVPN config from the above monolithic file over to a CApath

https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#notes

to successfully lock the disgraced client out.

Regards, J. Bern OpenVPN has --crl-verify that takes a file as well as a directory. I guess what you're saying is that accepts, but silently ignores the CRLs if put in the cert file.

It would be nicest if all the software wanted things configured things the same way. Personally I like the way Dovecot does it, but having things be uniform would be even better. From my quick survey, a lot of the programs (or at least their documentation) doesn't support CRLs at all.

Postfix wants multiple certificates specified by different .cf entries (it appears to not support CRLs--at least they aren't mentioned in documentation):

smtpd_tls_cert_file
smtpd_tls_key_file
smtpd_tls_dcert_file
smtpd_tls_dkey_file
smtpd_tls_eccert_file
smptd_tls_eckey_file
smtpd_tls_CAfile

Apache2.4 wants

SSLCertificateFile
SSLCertificateKeyFile

repeated multiple times for different cert types. Making it worse, Apache2.4.8 wants the whole cert chain in the above, but earlier versions wanted SSLCertificateChainFile to have the non-leaf chain.

Courier IMAP SSL wants

TLS_CERTFILE

specifying a file containing both the certificate and private key catenated.

OpenVPN wants

ca certificate chain used for signing.pem
cert certificate.pem
key privatekey.pem
crl-verify crl.pem

OpenLDAP appears similar to OpenVPN with (appears not to support CRLs):

TLSCACertificatePath
TLSCertificateFile
TLSCertificateKeyFile

Racoon wants (appears not to support CRLs):

certificate_type x509 certfile keyfile
ca_type x509 ca.pem

But the man page doesn't talk about where the chain goes.

So it appears one should generate the following file formats to satisfy all the software out there:

1. cert standalone (OpenVPN, Racoon, OpenLDAP, Postfix, Apache 2.4.7 and earlier)
2. cert chain (Apache 2.4.8 and later)
3. cert ca crl chain (Dovecot)
4. ca chain (OpenVPN, Racoon?, OpenLDAP, Postfix, Apache 2.4.7 and earlier)
5. crl chain (OpenVPN)
6. cert, key catenation (Courier IMAP)

Getting all these configured the same way isn't going to happen, so I guess the next best thing would be a cookbook. Anyone know of one?

-Earl