[Swan] crl and nss
Bob Miller
bob at computerisms.ca
Wed May 7 04:02:36 EEST 2014
Hello,
Today I encountered a situation where I would like to revoke a
certificate. so I revoked the pem, then I updated my CA crl cert using
the openssl ca -gencrl command. I then copied the crl to the firewall
in question, and tried to import it into nss using the crtutil command.
That took a bit of figuring, but in the end I got it to import by
converting it to DER format using the following command:
openssl crl -in Certificate.Authority.crl -inform PEM -out \
Certificate.Authority.crl.der -outform DER
I can now list the crl in the nss database, but I figured good idea to
test it. And was it ever a good idea, because the certificate I revoked
can still connect to the vpn. I thought I was so clever, but turns out
I know naught...
So I figured maybe the nss database needs to have a copy of the actual
cert in order to consider it revoked, so I created a DER format out of
the pem file, and copied the p12, the pem and the der file to the
firewall in question. When trying to import any of the three into the
nss database with the following command:
crlutil -I -i /root/username.pem -d /etc/ipsec.d/
All three file types result in the following error:
crlutil: unable to import CRL: SEC_ERROR_CRL_INVALID: New CRL has an
invalid format.
I read
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_crlutil but I find it missing a great deal of explanation regarding using it in this situation. I am sure it will all make sense *after I have gained understanding elsewhere. I read several other articles as well, but it seems applications generally have their own tools for manipulating certificates before any nss commands are run (or maybe those are other nss commands and I just don't know it?)
So did I miss some step in the certificate creation or something for
this to work, or am I just doing things wrong? Can someone point me at
what I need to read to gain the correct understanding? Thanks for any
hints...
--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
More information about the Swan
mailing list