You are here
CRLs for client certificates must contain a CRL for each root and intermediate CA
Submitted on 6. June 2019 - 13:32 by foesch.
Last update on 11. June 2019 - 11:19.
Last update on 11. June 2019 - 11:19.
Code:
AP-14230
Description:
If a CRL is configured, client certificates may be blocked, even if they are not listed in a CRL for a certain CA.
Workaround:
CRLs have to be configured for every root and intermediate CA involved. This is due to a policy change in the http listener Apache. Please see SSLCARevocationCheck in Apache documentation 2.4 for further details.
The following Apache expert setting on the virtual host restores previous behavior:
SSLCARevocationCheck chain no_crl_for_cert_ok
Please be aware to only set this expert settings on virtual hosts having a CRL configured.
Knowledge Base Categories: