Enabling SSL CRL checking in Apache

To test client SSL certificates against the issuing CRL, Apache needs an additional configuration directive in the /etc/httpd/conf.d/ssl.conf

SSLCARevocationPath /etc/httpd/conf/ssl.crl/

We then need to create this directory and restart httpd.

Although some SSL certificates contain a URL for the CRL distribution point, Apache will not automatically check this URL. Instead, we must download the CRL and place it in the defined path. The CRL is created in DER format, and needs to be converted to x509 before it can be read by Apache.

The following cron entry can be used to automate this process – place this cron entry into /etc/cron.hourly/update_httpd_crl.cron, and don’t forget to include ALL of the CRL’s relevent to the CA chain of your client certificates.

#!/bin/bash
cd /etc/httpd/conf/ssl.crl
# Download and convert CRL
curl -s <a href="http://website.org/ca/root-ca.crl">http://website.org/ca/root-ca.crl</a> | openssl crl -inform DER -out root-ca.crl
curl -s <a href="http://website.org/ca/tls-ca.crl">http://website.org/ca/tls-ca.crl</a> | openssl crl -inform DER -out tls-ca.crl
# Create required hash links
ln -s root-ca.crl `openssl crl -noout -hash -in root-ca.crl`.r0 2>/dev/null
ln -s tls-ca.crl `openssl crl -noout -hash -in tls-ca.crl`.r0 2>/dev/null
# Perform a graceful restart to re-read the CRL
service httpd graceful