1

i have an NGINX Webserver. I protect a site with client certificates. All works fine, i am just able to access the site, if i have the client cert installed.

ssl_client_certificate /path/to/ca.crt;  
ssl_verify_client on;

But, how can i revoke a cert? Eg. i want to revoke the access of a friend of mine. I did not found any possibility...

I created the client-cert with these commands:

openssl genrsa -des3 -out client.key 4096  
openssl req -new -key client.key -out client.csr  
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

The only way i found was with a CLR-List, is this right? And is there somewhere an example how to do this?

My "Setup" right now is a Debian Server running NGINX and OpenSSL. I created an ca with, and then i authorized the Clients with that.

openssl genrsa -des3 -out ca.key 4096  
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

I used this guide: https://gist.github.com/mtigas/952344

Like i said, the way of protecting works, but i just cant remove the cert...
Sorry, if this is a stupid question, I'm new with OpenSSL...

jww
  • 97,681
  • 90
  • 411
  • 885
Manu_H
  • 15
  • 1
  • 3
  • 2
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww May 08 '17 at 08:06
  • See https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl for getting nginx to use a CRL for client certificate verification – deed02392 Oct 21 '20 at 12:45

1 Answers1

4

Revoke the certificate :

openssl -revoke cert_of_your_(not_anymore)_friend.pem

Generate the new list of revoked certificates

openssl ca -gencrl -config /etc/openssl.cnf -out crl/your_new_list_of_revoked.crl
Camille G.
  • 3,058
  • 1
  • 25
  • 41
  • Thank you for you answer! I dont have a pem file of this cert there are just client.crt, client.csr and client.key. The seconds command is not working. variable lookup failed for ca::default_ca 139837638944424:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:324:group=ca name=default_ca – Manu_H May 08 '17 at 17:25
  • See http://stackoverflow.com/questions/24255205/error-loading-extension-section-usr-cert – Camille G. May 09 '17 at 07:04