Environment
eDirectory 9.1.3
OpenSSL 1.0.2q-52 (included in eDirectory)
Situation
A new server has been installed into the tree. LDAP services have been secured with a certificate that has a Certificate Revocation List (CRL) defined in it. The administrator now wants to verify that CRL verification on the RootCA is working before enforcing CRL checking on clients.
Resolution
1. Get the server's LDAPS certificate:
openssl s_client -connect 192.168.211.65:636 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > ldapserver.pem
2. Check to see if there is a CRL defined in it:
3. If it exists and we want to test against the CRL defined, we need the certificate's entire chain:
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect 192.168.211.65:636 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | tee -a chain.pem ; done; IFS=$OLDIFS
4. We also need the CRL file:
wget -O crl.der http://192.168.211.65:8028/crl/one.crl
5. Convert the CRL file from der to pem format:
openssl crl -inform DER -in crl.der -outform PEM -out crl.pem
6. Now, combine the chain file with the CRL file:
cat chain.pem crl.pem >crl_chain.pem
7. Now you can run a test against the CRL distribution point:
openssl verify -crl_check -CAfile crl_chain.pem ldapserver.pem
If it returns OK all is working. Otherwise, OpenSSL will throw an error such as:
error 23 at 0 depth lookup:certificate revoked
openssl s_client -connect 192.168.211.65:636 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > ldapserver.pem
2. Check to see if there is a CRL defined in it:
openssl x509 -noout -text -in ldapserver.pem | grep -A 4 'X509v3 CRL Distribution Points'
Make note of the URL and port number.
3. If it exists and we want to test against the CRL defined, we need the certificate's entire chain:
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect 192.168.211.65:636 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | tee -a chain.pem ; done; IFS=$OLDIFS
4. We also need the CRL file:
wget -O crl.der http://192.168.211.65:8028/crl/one.crl
5. Convert the CRL file from der to pem format:
openssl crl -inform DER -in crl.der -outform PEM -out crl.pem
6. Now, combine the chain file with the CRL file:
cat chain.pem crl.pem >crl_chain.pem
7. Now you can run a test against the CRL distribution point:
openssl verify -crl_check -CAfile crl_chain.pem ldapserver.pem
If it returns OK all is working. Otherwise, OpenSSL will throw an error such as:
error 23 at 0 depth lookup:certificate revoked