Notes from 3/8/2010 troubleshooting crl issues.
Users called and could not access the cobra web site.
They were using certificates issued by Verisign – specifically:
CN=VeriSign Client External Certification Authority – G2
I checked our page using the command:
openssl s_client -showcerts -connect usecobra.com:443 -prexit
and we were not accepting verisign G2 cert on cobra
So I went to the DISA webpage: https://crl.chamb.disa.mil/
NOTE: a quicker way to get the new cert is to cut and paste from the view screen after selecting a cert on the left and clicking view on the right side of the page.
This is an ascii representation of the cert known as PEM format. ( as apposed to the .DER format which is binary that you get when you use the download link.
For our purposes we want the PEM format ascii file to put in our ca-bundle.txt
I like to put the PEM cert in a file by itself to verify it. I named this one verisign_ECA_G2.crt
Then I can run this to verify and get the issuer / subject to up in the comments.
openssl x509 -inform PEM -in verisign_ECA_G2.crt -issuer -subject –noout
issuer= /C=US/O=U.S. Government/OU=ECA/CN=ECA Root CA 2
subject= /C=US/O=U.S. Government/OU=ECA/OU=Certification Authorities/CN=VeriSign Client External Certification Authority – G2
I edited the ca-bundle.crt to add the comments at the top and the cert.
I add the code like this:
#############################################
#subject= /C=US/O=U.S. Government/OU=ECA/OU=Certification Authorities/CN=VeriSign Client External Certification Authority – G2
#issuer= /C=US/O=U.S. Government/OU=ECA/CN=ECA Root CA 2
—–BEGIN CERTIFICATE—–
MIIF7DCCBNSgAwIBAgIBCjANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEY
MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFjAUBgNVBAMT
…
DUVDQSBSb290IENBIDIwHhcNMDgwNzAyMTQ0MTE4WhcNMTQwNzAxMTQ0MTE4WjCB
X158kXsnY2wvH2WdMMpHmj7GvikIw/tP/7w9/uwe6mE=
—–END CERTIFICATE—–
ON linux just restart the webserver to make it take affecte
service httpd restart
On oracle it is a little more complicated:
Log in as oracle
. formsset
cd /ora/wallets
## Save off the wallet.p12 for backup
cp wallet.p12 wallet.p12.100308
Edit ca-bundle.crt as described above.
Run ./import_cert which will “recomple” the wallet.p12 by running this command:
/ora/10ias/Apache/Apache/bin/ssl2ossl -cert /ora/wallets/usecobra.com.crt -key /ora/wallets/usecobra.com.key -cafile /ora/wallets/ca-bundle.crt -wallet /ora/wallets
You will need the password for the wallet as well as the key to complete this command.
Note – if it fails that means the cert you added is invalid – OR you do not have the cert for the all the parents up the chain of the issuer of that cert.
Then to restart the webserver on Oracle Solaris run the following commands
$ORACLE_HOME/opmn/bin/opmnctl status
$ORACLE_HOME/opmn/bin/opmnctl stopproc ias-component=HTTP_Server
$ORACLE_HOME/opmn/bin/opmnctl startproc ias-component=HTTP_Server
$ORACLE_HOME/opmn/bin/opmnctl status
Out of date CRL lists!!!
We found out today that the reason G2 certs from verisign were not being accepted was because the CRL file for Verisign we had in place was out of date.
All certs from an issuer whose CRL is expired are rejected until we get a valid CRL list from that issuer – this is the concept that if my guest list is considered obsolete – no one from that source will get in. Make sense.
openssl crl -inform DER -in /etc/httpd/crl/VERISIGNCLIENTEXTERNALCERTIFICATIONAUTHORITY_G2.crl -text | less
The command above will show the revoked certs by date and reason – as well as the “validitiy dates” for the list
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=U.S. Government/OU=ECA/OU=Certification Authorities/CN=VeriSign Client External Certification Authority – G2
Last Update: May 29 15:23:49 2009 GMT
Next Update: May 30 09:23:49 2009 GMT
In the above example has a Next Update date – after that time no one with a verisign G2 signed cert will be able to get in.