Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is it necessary to add an associated CRL to 'lua_ssl_crl' when I add a new CA certificate to 'lua_ssl_trusted_certificate' #2373

Open
alarics opened this issue Oct 31, 2024 · 1 comment

Comments

@alarics
Copy link

alarics commented Oct 31, 2024

OpenResty version: 1.21.4.1

I currently combine several CA certificates and set it as 'lua_ssl_trusted_certificate', it works when I make https requests with different CA certificates. Now I try to add a parameter 'lua_ssl_crl' to enable crl certification, it seems that crl file can also be combined to one file, but when I try to make a https requests with CA certificate in 'lua_ssl_trusted_certificate' and CRL file not in 'lua_ssl_crl', nginx would report '3: unable to get certificate CRL', whereas a https requests with CA certificate in 'lua_ssl_trusted_certificate' and CRL file in 'lua_ssl_crl' would report '23: certificate revoked' (which is what I expect). My question is, is it necessary to add an associated CRL to 'lua_ssl_crl' when I add a new CA certificate to 'lua_ssl_trusted_certificate'?

@alarics
Copy link
Author

alarics commented Nov 5, 2024

In other words, If I set TWO differrent CA certificates (CA1 and CA2) in lua_ssl_trusted_certificate, and only ONE CRL issued by CA1 in lua_ssl_crl, whether the CRL issued by CA2 is mandatory when OpenResty verifies certificates?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant