CRL Issuing Distribution Point (IDP) should be configurable in CertificateRevocationListView about django-ca HOT 7 CLOSED

Hi @kevin-olbrich,

Thanks of course for your report! I will add flag like this to the view and to the dump_crl command, allowing you to create CRLs without an IDP.

Can I ask you for more information so that I can reproduce this? In #64 and other issues I did add test cases to make sure that the use case is covered. To do the same here, I of course need to be able to reproduce this. (and who knows, maybe I can even help you improve your OpenVPN configuration ;-))

kr, Mat

from django-ca.

@kevin-olbrich, while starting to look into this, I discovered that it is currently indeed possible to create a view that does not include the extension: All you have to do is set the scope of the view to None, e.g.

views.CertificateRevocationListView.as_view(scope=None)

When using the dump_crl command, you should get a similar outcome if you simply don't pass the --scope parameter.

I will however still add a flag for this, as this extension certainly caused trouble in the past.

from django-ca.

(The current commit just adds a flag to the dump_crl command, the view is still missing)

from django-ca.

This time fixed for real! Feature is implemented and will be included in the next release!

However, I'm still hoping for more input so that I can reproduce your setup in automated tests.

from django-ca.

However, I'm still hoping for more input so that I can reproduce your setup in automated tests.

Actually it is not very complicated. I created a root CA on CLI (without intermediaries). I then copied the CA cert available via URL to the OpenVPN server. When I added crl-verify for OpenVPN (crl is downloaded using cron), it always failed when connecting with a valid certificate. Actually it is related to the problem in #64.

OpenVPN validates the IDP using OpenSSL if it is present in the CRL. At least for me, it was not present or did not match in the root certificate and thus failed verification.

As the download happens in the background and blocking all connections because of an error in validation is not an option, it was better to remove the IDP extension from the CRL. In case OpenVPN would get a CRL that matches the CA but not the IDP, OpenVPN could not do anything to solve this (which IMHO is a minor issue with large consequences).

Sorry, my knowledge of certificate extensions is limited. This is the first time I work with more complex setups in x509. I was only using easyrsa before, which simply brings it down to only basic features of x509.

Thank you very much for your time and help! I could not contribute much to this change, the more I want to thank you for implementing everything!

from django-ca.

Hi Kevin,

Sorry, my knowledge of certificate extensions is limited. This is the first time I work with more complex setups in x509. I was only using easyrsa before, which simply brings it down to only basic features of x509.

No worries, that's what the author of such a software is here for. I'm glad I can help.

Actually it is not very complicated. ...

Can you please post the relevant configuration snippets from OpenVPN, client- and server side? Of course, please properly sanitize it and don't post private keys ;-). also are you downloading the client- or server CRL? I assume the former, but just to be sure (you can answer that question by posting the URL path, if you use a default provided view, or together with the view configuration).

Thanks very much for reporting the issue and for using django-ca!

kr, Mat

from django-ca.

closing due to lack of feedback. If you have any further issues @kevin-olbrich , please don't hesitate to file a new issue!

from django-ca.