Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to give CRL to openssl s_client?

Tags:

ssl

openssl

x509

I'm testing certificate revocation with a test server. I'm trying to use openssl s_client with crl_check parameter for testing the revocation. I have appended ca certs to a chain file I give in CAfile parameter.

With the command:

openssl s_client -connect <host>:<port> -crl_check -cert cert.pem \
-key key.pem -CAfile ca_chain.pem -state -verify_return_error debug

I get a response:

Verify return code: 3 (unable to get certificate CRL)

Which is natural because I don't give the CRL.

How should I give the CRL (where the server cert is revoked) to the openssl s_client to get certificate revocation checked in negotiation?

like image 455
talamaki Avatar asked Oct 19 '22 04:10

talamaki


1 Answers

With 1.02 you should be able to do this. From the changelog:

*) New options -CRL and -CRLform for s_client and s_server for CRLs.
   [Steve Henson]

In versions before that the behavior is undocumented: You have to include the CRL together with the certificate in the same file if you are using a single file with -CAfile. If you are using a directory with -CApath instead it gets even harder.

like image 50
Steffen Ullrich Avatar answered Nov 15 '22 07:11

Steffen Ullrich