picture of tbs certificates
picture of tbs certificates
Our products range

Management of revocation lists in Apache

Old method: CRLs

If you are using strong authentication with client certificates, you need to regularly check the validity of those certificates. To do so, you have to consult the revocation list of each accepted certificate.

If you followed our instructions, you must have already identified the acceptable issuers with the instruction SSLCACertificateFile or SSLCACertificatePath. To do so, you have gone through the certification chain, starting from the certificate issuing your certificates (intermediate certificates).
Now, you have to go through this chain again and note, at each step, the URL of the CRL for each certificate. For example, if you are using our TBS X509 PKI PME offer, your issuer certificate is TBS X509 CA persona 3. You'll then get the following list:

You'll then have to make those CRLs available for Apache to check them. To do so, we'll work in the Apache standard repertory, that usually is /etc/httpd/conf/ssl.crl/

Use then the Apache instruction:
SSLCARevocationPath conf/ssl.crl/

Those CRLs must constantly be up-to-date. So instead of updating them manually, we'll put it in a CRON that will be launched every hour. It will retrieve all the CRLs of the chain (with curl) and convert them into PEM (with openssl). Then it will create the hash links (with make by using Makefile supplied be Apache).

Here is our file /etc/cron.hourly/maj-crl-httpd applicable to our example:

cd /etc/httpd/conf/ssl.crl

# CHAINE TBS X509 persona pour PKI PME
curl -s | openssl crl -inform DER -out TBSX509CApersona3RSA.crl
curl -s | openssl crl -inform DER -out USERTrustRSACertificationAuthority.crl

make > /dev/null
The result is as followed:
$ ll /etc/httpd/conf/ssl.crl
-rw-r--r--    1 root     root          320 Aug 24  1999 README.CRL
-rw-r--r--    1 root     root         1568 Aug 24  1999 Makefile
-rw-r--r--    1 root     root          841 Feb 11 14:10 TBSX509CApersona3RSA.crl
-rw-r--r--    1 root     root          857 Feb 11 14:10 USERTrustRSACertificationAuthority.crl
lrwxrwxrwx    1 root     root           46 Feb 11 14:10 9ec3a561.r0 -> USERTrustRSACertificationAuthority.crl
lrwxrwxrwx    1 root     root           20 Feb 11 14:10 4840af4a.r0 -> TTBSX509CApersona3RSA.crl
Now ask Apache to consult those CRLs with the instruction
SSLCARevocationPath conf/ssl.crl/

New method: OCSP

This method makes it possible to verify the validity of the certificate in real time by directly questioning the certification authority. To activate this protocol, here are the directives to be implemented in your Apache configuration file:

    SSLVerifyClient require
    SSLOCSPEnable on

Also, you must activate the OCSP Stapling to directly provide a certificate of validity on connection (more info). OCSP Stapling is supported at from Apache version 2.4+. Here is an example of OCSP Stapling configuration:

    SSLUseStapling on
    SSLStaplingCache "shmcb:logs/stapling_cache(128000)"