I am installing a .crl in my apache config. It looks like this:
VirtualHost default
DocumentRoot "web"
ServerName example.com
SSLEngine on
SSLCertificateFile "cert.crt"
SSLCertificateKeyFile "key.key"
SSLCertificateChainFile "cert.ca-bundle"
SSLProtocol -all +SSLv3
SSLCipherSuite SSLv3:+HIGH:+MEDIUM
Directory
Order deny,allow
Allow from all
SSLCACertificateFile "ClientRootCert.crt"
SSLVerifyClient require
SSLVerifyDepth 3
SSLCARevocationFile "CRLList.crl"
Directory
VirtualHost
When Apache is started, I get the error:
SSLCARevocationFile not allowed here
When I place SSLCARevocationFile above the Directory tag, Apache starts, but all client certs are rejected with the message:
ssl_error_expired_cert_alert (both revoked and active certs)
How to solve this?
Best Answer
I think you have already found the answer but I may help someone else. I have had the same error because I generated my crl with this parameter : "crl_hours 1". 1 hour after the crl creation, the error appears.
If you didn't use this parameter, check the "default_crl_days" of your "openssl.conf" and compare it to the date of last update of the crl.