Hello!

On Thu, Apr 27, 2017 at 04:18:30PM +0100, Nicholas Humfrey wrote:

> I was having trouble getting CRL checks working for client certificates
> and it turns out that the problem is because nginx checks CRLs for all
> levels of the certificate hierarchy, but the CA I am using does not
> publish CRLs for intermediate certificates.
>
> It is not uncommon for the private key of the root CA certificate to be
> locked-away offline in a safe, to prevent any other intermediate
> certificates from being issued. However this means that CRLs cannot be
> generated for the intermediate certificates, only the leaf certificates.
> Hence only the leaf certificates can be CRL checked.

How do you revoke intermediate certificates if compromised then?

> The solution to this is very simple; just set X509_V_FLAG_CRL_CHECK in
> OpenSSL without the X509_V_FLAG_CRL_CHECK_ALL flag.
>
> Would you accept a patch that adds a new configuration option to nginx
> to control this?

Unlikely, this was already discussed on this list several weeks
ago.

http://mailman.nginx.org/pipermail/nginx-devel/2017-April/009790.html

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel