To test client SSL certificates against the issuing CRL, Apache needs an additional configuration directive in the /etc/httpd/conf.d/ssl.conf
We then need to create this directory and restart httpd.
Although some SSL certificates contain a URL for the CRL distribution point, Apache will not automatically check this URL. Instead, we must download the CRL and place it in the defined path. The CRL is created in DER format, and needs to be converted to x509 before it can be read by Apache.
The following cron entry can be used to automate this process – place this cron entry into /etc/cron.hourly/update_httpd_crl.cron, and don’t forget to include ALL of the CRL’s relevent to the CA chain of your client certificates.
#!/bin/bash cd /etc/httpd/conf/ssl.crl # Download and convert CRL curl -s <a href="http://website.org/ca/root-ca.crl">http://website.org/ca/root-ca.crl</a> | openssl crl -inform DER -out root-ca.crl curl -s <a href="http://website.org/ca/tls-ca.crl">http://website.org/ca/tls-ca.crl</a> | openssl crl -inform DER -out tls-ca.crl # Create required hash links ln -s root-ca.crl `openssl crl -noout -hash -in root-ca.crl`.r0 2>/dev/null ln -s tls-ca.crl `openssl crl -noout -hash -in tls-ca.crl`.r0 2>/dev/null # Perform a graceful restart to re-read the CRL service httpd graceful