Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for crlDistributionPoints? #71

Closed
ProbablyRusty opened this issue Aug 2, 2015 · 7 comments
Closed

Support for crlDistributionPoints? #71

ProbablyRusty opened this issue Aug 2, 2015 · 7 comments
Assignees
@TinCanTech
Labels
documentation enhancement initial-approval
Milestone
v3.1.1 - RC1 - de...

Comments

@ProbablyRusty
Copy link

Is there a way to specify crlDistributionPoints in easyrsa?
@ecrist ecrist added this to the 3.1 branch milestone Sep 2, 2015
@ecrist
Copy link
Member

ecrist commented Sep 2, 2015

This is not, currently.

@marcoslois
Copy link

I think it's already included, if take a look at x509-types dir you can attach this info to all types or to specific ones adding required extensions:

authorityInfoAccess     = caIssuers;URI:http://example.com/ca.crt,OCSP;URI:http://ocsp.example.com
crlDistributionPoints   = URI:http://example.com/ca.crl

You can add other extensions also.

@viharm
Copy link

viharm commented Oct 4, 2020

Yes, I was concerned about this too. However based on the comment by @marcoslois , I tried with a simple start.

I added the following line to .../EasyRSA/IntCA/x509-types/server

crlDistributionPoints = URI:http://ca.domain.tld/crl.pem

All certificates issued since, have this CRL distribution point (obfuscated) in it.

I have however revoked a test certificate and placed the new CRL at the above CDP, but somehow both Firefox and curl still accept it. Not sure how to test a revoked certificate.

@viharm
Copy link

viharm commented Oct 4, 2020

Just noticed a very good explanation in #15 here #15 (comment).

There is already built-in support for CDP. Simple uncomment this line

easy-rsa/easyrsa3/x509-types/COMMON

Line 7 in 19a2004

#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl
and change the URL to point to your CDP.

No need to specifically add the line to the server configuration as this applies to all certificates issued - awesome!

Shouldn't this issue be closed?

@jasonhe54
Copy link

There is already built-in support for CDP. Simple uncomment this line

How do I go about doing this? Seems like the x509-types folder is owned by root, so it seems like I can't modify it

@TinCanTech TinCanTech modified the milestones: 3.1 branch, v3.1.0 Mar 28, 2022
@TinCanTech TinCanTech self-assigned this Mar 29, 2022
@TinCanTech
Copy link
Collaborator

TinCanTech commented Mar 29, 2022
edited
Loading

@jasonhe54 current git/master/easyrsa will copy those files to your PKI for use.

Try:

easyrsa show-ca

Should copy the files.

@TinCanTech
Copy link
Collaborator

Personally, editing COMMON seems like the most obvious solution.

A command line option is less reliable ..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
documentation enhancement initial-approval
Projects
None yet
Milestone
v3.1.1 - RC1 - development
Development

No branches or pull requests
6 participants
@ecrist @viharm @ProbablyRusty @marcoslois @TinCanTech @jasonhe54