Using OpenSSL to verify an eDirectory LDAP server's certificate CRL is working if enforcement is desired.

  • 7023838
  • 24-Apr-2019
  • 24-Apr-2019


eDirectory 9.1.3
OpenSSL 1.0.2q-52 (included in eDirectory)


A new server has been installed into the tree.  LDAP services have been secured with a certificate that has a Certificate Revocation List (CRL) defined in it.  The administrator now wants to verify that CRL verification on the RootCA is working before enforcing CRL checking on clients.


1. Get the server's LDAPS certificate:
openssl s_client -connect 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > ldapserver.pem

2. Check to see if there is a CRL defined in it:
openssl x509 -noout -text -in ldapserver.pem | grep -A 4 'X509v3 CRL Distribution Points'
Make note of the URL and port number.

3. If it exists and we want to test against the CRL defined, we need the certificate's entire chain:
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | tee -a chain.pem ; done; IFS=$OLDIFS

4. We also need the CRL file:
wget -O crl.der

5. Convert the CRL file from der to pem format:
openssl crl -inform DER -in crl.der -outform PEM -out crl.pem

6. Now, combine the chain file with the CRL file:
cat chain.pem crl.pem >crl_chain.pem

7. Now you can run a test against the CRL distribution point:
openssl verify -crl_check -CAfile crl_chain.pem ldapserver.pem

If it returns OK all is working.  Otherwise, OpenSSL will throw an error such as:
error 23 at 0 depth lookup:certificate revoked