From f1c4f5bce4636b1b88c23e207f5d8e69e2f8c80c Mon Sep 17 00:00:00 2001 From: Diane Trout Date: Thu, 24 Dec 2015 16:24:33 -0800 Subject: [PATCH] Update CRL for 5 years (Closes: #79548) * Add hints about what the test failure looks like and how to update the CRL when it expires. * Additionally update the example crl update command line. * Instead of having two copies of the CRL, replace one with a symlink. This way when one is updated, both are updated. --- tests/certs/ca-0-crl.cfg | 14 ++++++++++++++ tests/certs/ca-0-crl.pem | 21 +++++++++++---------- tests/certs/crl/ca-0-crl.pem | 14 +------------- 3 files changed, 26 insertions(+), 23 deletions(-) mode change 100644 => 120000 tests/certs/crl/ca-0-crl.pem diff --git a/tests/certs/ca-0-crl.cfg b/tests/certs/ca-0-crl.cfg index bc9ed25..db1cde0 100644 --- a/tests/certs/ca-0-crl.cfg +++ b/tests/certs/ca-0-crl.cfg @@ -1,3 +1,15 @@ +# Update crl with certtool from gnutls-bin: +# certtool --generate-crl \ +# --load-ca-privkey ca-0-key.pem \ +# --load-ca-certificate ca-0-cert.pem \ +# --load-certificate rev-cert.pem \ +# --template ca-0-crl.cfg \ +# --outfile=ca-0-crl.pem +# +# When expired the test ssl tests fail with the error: +# assertion failed (error == (wocky_auth_error, 6)): \ +# SSL Certificate Verification Error for weasel-juice.org (wocky-tls-cert-error, 12) +# # X.509 Certificate options # # DN options @@ -87,3 +99,5 @@ crl_signing_key # Whether this key will be used for time stamping. #time_stamping_key +crl_next_update=1825 + diff --git a/tests/certs/ca-0-crl.pem b/tests/certs/ca-0-crl.pem index 80f47ba..2867f95 100644 --- a/tests/certs/ca-0-crl.pem +++ b/tests/certs/ca-0-crl.pem @@ -1,13 +1,14 @@ -----BEGIN X509 CRL----- -MIIB/DCB5QIBATANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJVSzESMBAGA1UE +MIICDTCB9gIBATANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJVSzESMBAGA1UE ChMJQ29sbGFib3JhMRkwFwYDVQQLExBXb2NreSBUZXN0IFN1aXRlMREwDwYDVQQI -EwhDb25mdXNlZDEbMBkGA1UEAxMSV29ja3kgWE1QUCBMaWJyYXJ5Fw0xMjA1MTAx -NjQzNTBaFw0xMzA1MTAxNjQzNTBaMBQwEgIBCxcNMTIwNTEwMTY0MzUwWqAvMC0w -HwYDVR0jBBgwFoAUSTAmCIya1mnNi8DMDlwCjkofpowwCgYDVR0UBAMCAQAwDQYJ -KoZIhvcNAQELBQADggEBACFaj/M6g+fP0RQEiB7kvoocdM7XGUemkl9Ns/chc9zH -yLgq1891jIO5GoKoCuMGEFfYat/VZutNOLFHkJ0AeqrvOSPVZ8atcZTJR/lgjR6I -PN/UMFpHMEVa7cUtLPx47UvGDolrOo1d4ciLVUUPoZMRGxTitVz8KtEk+O9s6NjS -W25uTGoNT58OQS51dXq4N97gNMSeggWGN1Y9swv0s992G/Y93t/uQvsRsSEMe7kj -ddChE3Gb4I+7TkjL+e64RlYsAtvMePM3k3+Zk95wFGWqlwRow46Nv3F02C8Af5JV -zp+tsq2foM0lIADnOTjUs2XgNGqx0Gm/hTAfBMsIgkM= +EwhDb25mdXNlZDEbMBkGA1UEAxMSV29ja3kgWE1QUCBMaWJyYXJ5GA8yMDE2MDEx +MjA1NDYzN1oYDzIwMTcwMTExMDU0NjM3WjAWMBQCAQsYDzIwMTYwMTEyMDU0NjM3 +WqA6MDgwHwYDVR0jBBgwFoAUSTAmCIya1mnNi8DMDlwCjkofpowwFQYDVR0UBA4C +DFaUkz0c3DJPdC61CDANBgkqhkiG9w0BAQsFAAOCAQEAJ2KNH3iBLUtgbDHPAc55 +b2O0UG2Mrqpza1PfeFil1yNbBkTL00HbvqZ2mnY0m+tS//nIlz27n3xPgl/6f5TK +HVwTXSluAumQPVbUQyZlTTBT1B4yvwQvd5D9m3I8p2Rk4BA5hDdBKDD+jdnPrELI +FPjPMJiFY9yPRHglkBF3N1Y+7HUPugDGMiwrU8nDpAeZY/W/zz3FWKgzUORWuH3V +XEvK0I5vtT5Ms2gbmPat0Clv8Hl6BQh2oD5L+82EQOe/xuloDg5fZYLCJbJgeSIG +ONkVQ3P2k0uHsSN676MJ844N8bfyij9OpcWzK2EiKV7kb+PYtQprMR6EOy1zOG3/ +Pg== -----END X509 CRL----- diff --git a/tests/certs/crl/ca-0-crl.pem b/tests/certs/crl/ca-0-crl.pem deleted file mode 100644 index 80f47ba..0000000 --- a/tests/certs/crl/ca-0-crl.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN X509 CRL----- -MIIB/DCB5QIBATANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJVSzESMBAGA1UE -ChMJQ29sbGFib3JhMRkwFwYDVQQLExBXb2NreSBUZXN0IFN1aXRlMREwDwYDVQQI -EwhDb25mdXNlZDEbMBkGA1UEAxMSV29ja3kgWE1QUCBMaWJyYXJ5Fw0xMjA1MTAx -NjQzNTBaFw0xMzA1MTAxNjQzNTBaMBQwEgIBCxcNMTIwNTEwMTY0MzUwWqAvMC0w -HwYDVR0jBBgwFoAUSTAmCIya1mnNi8DMDlwCjkofpowwCgYDVR0UBAMCAQAwDQYJ -KoZIhvcNAQELBQADggEBACFaj/M6g+fP0RQEiB7kvoocdM7XGUemkl9Ns/chc9zH -yLgq1891jIO5GoKoCuMGEFfYat/VZutNOLFHkJ0AeqrvOSPVZ8atcZTJR/lgjR6I -PN/UMFpHMEVa7cUtLPx47UvGDolrOo1d4ciLVUUPoZMRGxTitVz8KtEk+O9s6NjS -W25uTGoNT58OQS51dXq4N97gNMSeggWGN1Y9swv0s992G/Y93t/uQvsRsSEMe7kj -ddChE3Gb4I+7TkjL+e64RlYsAtvMePM3k3+Zk95wFGWqlwRow46Nv3F02C8Af5JV -zp+tsq2foM0lIADnOTjUs2XgNGqx0Gm/hTAfBMsIgkM= ------END X509 CRL----- diff --git a/tests/certs/crl/ca-0-crl.pem b/tests/certs/crl/ca-0-crl.pem new file mode 120000 index 0000000..2138c26 --- /dev/null +++ b/tests/certs/crl/ca-0-crl.pem @@ -0,0 +1 @@ +../ca-0-crl.pem \ No newline at end of file -- 2.8.0.rc3