[strongSwan] CRL revoke

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Nov 18 05:33:03 CET 2019


Hello Anthony,

No, charon will not revoke any certificates on its own. It will not create CRLs.
It will however enforce any CRLs or OCSP responses it gets.

Kind regards

Noel

Am 16.11.19 um 00:08 schrieb Modster, Anthony:
> Hello
> 
>  
> 
> ? can charon revoke the user cert from a CRL
> 
>  
> 
> We are using charon as a client, that has loaded a user cert and a CRL.
> 
> strongswan 5.5.1
> 
>  
> 
> Sample CRL used to revoke user cert.
> 
> root at wglng-17:/etc/swanctl/ourCrl# openssl crl -in Org1.scacrl1 -text -noout
> 
> Certificate Revocation List (CRL):
> 
>         Version 2 (0x1)
> 
>     Signature Algorithm: sha256WithRSAEncryption
> 
>         Issuer: /C=US/O=Teledyne Controls Engineering/OU=Systems Engineering/CN=TDY Test SCA 1
> 
>         Last Update: Nov 15 21:50:00 2019 GMT
> 
>         Next Update: Feb 15 21:50:00 2020 GMT
> 
>         CRL extensions:
> 
>             X509v3 Authority Key Identifier:
> 
>                 keyid:92:E1:0F:68:37:91:79:4D:CD:B2:FA:1F:C9:56:39:34:A8:AB:45:EA
> 
>  
> 
>             X509v3 CRL Number:
> 
>                 7
> 
> Revoked Certificates:
> 
>     Serial Number: 0E
> 
>         Revocation Date: Nov 15 21:49:53 2019 GMT
> 
>         CRL entry extensions:
> 
>             Invalidity Date:
> 
>                 Nov 15 21:49:00 2019 GMT
> 
>             X509v3 CRL Reason Code:
> 
>                 Certificate Hold
> 
>     Signature Algorithm: sha256WithRSAEncryption
> 
>          90:1d:3c:70:d6:6a:fb:e5:05:2d:13:46:e9:02:21:51:5b:d5:
> 
>          41:67:72:15:ce:5c:96:67:cd:ba:fd:0c:fa:87:b8:52:b7:5e:
> 
>          90:4d:c6:5f:c9:c6:78:04:f6:6b:34:99:13:a4:60:0b:7f:f4:
> 
>          70:30:9d:eb:17:50:20:6d:2d:f1:43:42:82:a1:c3:6d:6e:dd:
> 
>          b0:c3:82:6c:27:ca:4c:46:12:8a:d8:7d:bd:b0:9c:fe:35:22:
> 
>          bb:38:06:98:61:22:47:db:aa:90:c2:47:ce:fe:cd:df:e4:4b:
> 
>          44:ea:cb:45:1a:4f:77:a1:8d:28:eb:d0:92:2f:e7:31:1a:03:
> 
>          be:fa:bc:45:1e:69:e0:f4:60:cb:5f:12:2e:07:1c:9d:79:f1:
> 
>          9b:05:54:37:a6:83:14:3e:9d:ce:a8:5b:cf:65:19:58:c2:81:
> 
>          7f:f8:be:66:cb:3d:80:45:08:aa:73:34:ca:fd:ab:fb:c6:8a:
> 
>          51:af:b2:a1:7a:8a:93:e6:c7:9d:ad:df:93:52:fa:db:4c:7e:
> 
>          d3:74:37:8e:89:91:59:61:e1:e9:38:87:86:4d:bf:f6:c4:0b:
> 
>          1e:92:13:e4:71:d2:05:14:c8:d4:d1:37:b3:2d:9f:1d:52:68:
> 
>          fe:36:03:6c:d9:19:11:c7:18:63:fa:c5:2d:b8:39:31:83:3b:
> 
>          77:72:07:97
> 
>  
> 
> Thanks
> 
>  
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191118/d4872c3d/attachment.sig>


More information about the Users mailing list