Notes from 3\/8\/2010 \u00a0troubleshooting crl issues.<\/p>\n
Users called and could not access the cobra web site.<\/p>\n
They were using certificates issued by Verisign \u2013 specifically:<\/p>\n
CN=VeriSign Client External Certification Authority \u2013 G2<\/p>\n
I checked our page using the command:<\/p>\n
openssl s_client -showcerts\u00a0 -connect usecobra.com:443 -prexit<\/strong><\/p>\n and we were not accepting verisign G2 cert on cobra<\/p>\n So I went to the DISA webpage: https:\/\/crl.chamb.disa.mil\/<\/a><\/p>\n NOTE:\u00a0 a quicker way to get the new cert is to cut and paste from the view screen after selecting a cert on the left and clicking view on the right side of the page.<\/p>\n This is an ascii representation of the cert known as PEM format.\u00a0 ( as apposed to the .DER format\u00a0 which is binary that you get when you use the download link.<\/p>\n For our purposes we want the PEM format ascii file to put in our ca-bundle.txt<\/p>\n I like to put the PEM cert in a file by itself to verify it.\u00a0 I named this one verisign_ECA_G2.crt<\/p>\n Then I can run this to verify and get the issuer \/ subject to up in the comments.<\/p>\n openssl x509 -inform PEM -in verisign_ECA_G2.crt -issuer -subject \u2013noout<\/em><\/strong><\/p>\n <\/em><\/strong><\/p>\n issuer= \/C=US\/O=U.S. Government\/OU=ECA\/CN=ECA Root CA 2<\/p>\n subject= \/C=US\/O=U.S. Government\/OU=ECA\/OU=Certification Authorities\/CN=VeriSign Client External Certification Authority \u2013 G2<\/p>\n I edited the ca-bundle.crt to add the comments at the top and the cert.<\/p>\n I add the code like this:<\/p>\n #############################################<\/p>\n #subject= \/C=US\/O=U.S. Government\/OU=ECA\/OU=Certification Authorities\/CN=VeriSign Client External Certification Authority \u2013 G2<\/p>\n #issuer= \/C=US\/O=U.S. Government\/OU=ECA\/CN=ECA Root CA 2<\/p>\n \u2014\u2013BEGIN CERTIFICATE\u2014\u2013<\/p>\n MIIF7DCCBNSgAwIBAgIBCjANBgkqhkiG9w0BAQUFADBNMQswCQYDVQQGEwJVUzEY<\/p>\n MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFjAUBgNVBAMT<\/p>\n \u2026<\/p>\n DUVDQSBSb290IENBIDIwHhcNMDgwNzAyMTQ0MTE4WhcNMTQwNzAxMTQ0MTE4WjCB<\/p>\n X158kXsnY2wvH2WdMMpHmj7GvikIw\/tP\/7w9\/uwe6mE=<\/p>\n \u2014\u2013END CERTIFICATE\u2014\u2013<\/p><\/blockquote>\n ON linux just restart the webserver to make it take affecte<\/p>\n service httpd restart<\/p><\/blockquote>\n On oracle it is a little more complicated:<\/p>\n Log in as oracle<\/p>\n . formsset<\/p>\n cd \/ora\/wallets<\/p>\n ## Save off the wallet.p12\u00a0 for backup<\/p>\n cp wallet.p12 wallet.p12.100308<\/p>\n Edit ca-bundle.crt as described above.<\/p>\n Run .\/import_cert which will \u201crecomple\u201d the wallet.p12 by running this command:<\/p>\n \/ora\/10ias\/Apache\/Apache\/bin\/ssl2ossl -cert \/ora\/wallets\/usecobra.com.crt -key \/ora\/wallets\/usecobra.com.key -cafile \/ora\/wallets\/ca-bundle.crt -wallet \/ora\/wallets<\/em><\/strong><\/p><\/blockquote>\n You will need the password for the wallet as well as the key to complete this command.<\/p>\n Note<\/strong> \u2013 if it fails that means the cert you added is invalid \u2013 OR you do not have the cert for the all the parents up the chain of the issuer of that cert.<\/p>\n Then to restart the webserver on Oracle Solaris run the following commands<\/p>\n $ORACLE_HOME\/opmn\/bin\/opmnctl status<\/em><\/strong><\/p>\n $ORACLE_HOME\/opmn\/bin\/opmnctl stopproc ias-component=HTTP_Server<\/em><\/strong><\/p>\n $ORACLE_HOME\/opmn\/bin\/opmnctl startproc ias-component=HTTP_Server<\/em><\/strong><\/p>\n $ORACLE_HOME\/opmn\/bin\/opmnctl status<\/em><\/strong><\/p>\n We found out today that the reason G2 certs from verisign were not being accepted was because the CRL file for Verisign we had in place was out of date.<\/p>\n All certs from an issuer whose CRL is expired are rejected until we get\u00a0 a valid CRL list from that issuer \u2013 this is the concept that if my guest list is considered obsolete \u2013 no one from that source will get in.\u00a0 Make sense.<\/p>\n openssl crl -inform DER -in \/etc\/httpd\/crl\/VERISIGNCLIENTEXTERNALCERTIFICATIONAUTHORITY_G2.crl -text | less<\/em><\/strong><\/p><\/blockquote>\n The command above will show the revoked certs by date and reason \u2013 as well as the \u201cvaliditiy dates\u201d for the list<\/p>\n Certificate Revocation List (CRL):<\/p>\n Version 2 (0x1)<\/p>\n Signature Algorithm: sha1WithRSAEncryption<\/p>\n Issuer: \/C=US\/O=U.S. Government\/OU=ECA\/OU=Certification Authorities\/CN=VeriSign Client External Certification Authority \u2013 G2<\/p>\n Last Update: May 29 15:23:49 2009 GMT<\/p>\n Next Update: May 30 09:23:49 2009 GMT<\/p><\/blockquote>\n In the above example has a Next Update date \u2013 after that time no one with a verisign G2 signed cert will be able to get in.<\/p>\n","protected":false},"excerpt":{"rendered":" Notes from 3\/8\/2010 \u00a0troubleshooting crl issues. Users called and could not access the cobra web site. They were using certificates issued by Verisign \u2013 specifically: CN=VeriSign Client External Certification Authority \u2013 G2 I checked our page using the command: openssl … Continue reading Out of date CRL lists!!!<\/h1>\n