Welcome! Log In Create A New Profile

Advanced

Problem creating CRL

February 18, 2020 12:58PM
I am attempting to add CRL support to my nginx proxy, and it seems to not be working due to the following error:

client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers

From my research, this is because nginx senses a missing CRL. But here is the structure of my client certificate (it has the full chain of certificates in it):

Certificate:
Data:
...
X509v3 extensions:
...
X509v3 Key Usage: critical
Certificate Sign, CRL Sign

Certificate:
Data:
...
X509v3 extensions:
...
X509v3 CRL Distribution Points:
Full Name:
URI:http://uri1

Certificate:
Data:
...
X509v3 extensions:
...
X509v3 Key Usage: critical
Certificate Sign, CRL Sign

Certificate:
Data:
...
X509v3 extensions:
...
X509v3 CRL Distribution Points:
Full Name:
URI:http://uri2
URI:http://uri3
URI:http://uri4

I take the following steps:

1. curl and convert output from url1 to PEM.
2. curl and convert output from url2 to PEM.
3. Concat the two outputs into the same file.
4. Specify this file in nginx config for ssl_crl.

But I get the above error.

Any thoughts on what I'm doing wrong? My understanding is that I should be able to safely ignore url3, and url4.

Any thoughts? Thank you!
Subject Author Posted

Problem creating CRL

trstringer February 18, 2020 12:58PM

Re: Problem creating CRL

Maxim Dounin February 18, 2020 01:44PM

Re: Problem creating CRL

trstringer February 18, 2020 01:50PM

Re: Problem creating CRL

Maxim Dounin February 18, 2020 02:06PM

Re: Problem creating CRL

trstringer February 18, 2020 02:46PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 99
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready