Cannot get CRL certificate revocation via distribution point working
Greetings,
Having trouble trying to get certificate revocation via distribution point working. Hoping for some guidance.
I am able to successfully implement CRL revocation via a locally saved .crl file, so I know there is not an issue with our locally generated root ca, soft certs, and CRL file. Additionally, I can download the CRL file through a browser by using the distribution point URL encoded into our certificates, so I know the CRL file is properly hosted.
Observed Behavior
Locally stored CRL file: Wild Fly properly prevents a certificate on the CRL from authenticating to the server.
Distribution point: Wild Fly allows a certificate on the CRL to authenticate to the server.
Version: 18.0.1.Final
I believe I have properly configured the server by executing the following cli commands as per the Elytron documentation (WildFly Elytron Security):
1. Setup Elytron keystore
/subsystem=elytron/key-store=twoWayKS:add(path=dev.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=password},type=JKS)
2. Setup Elytron truststore
/subsystem=elytron/key-store=twoWayTS:add(path=dev.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=password},type=JKS)
3. Configure a key-manager that references your key store key-store
/subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={clear-text=password})
4. Configure a trust-manager that references your truststore key-store
/subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS)
5. Configure a server-ssl-context that references your key-manager, trust-manager, and enables client authentication
/subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true)
6. Check and see if the https-listener is configured to use a legacy security realm for its SSL configuration
/subsystem=undertow/server=default-server/https-listener=https:read-attribute(name=security-realm)
7. Remove the reference to the legacy security realm and update the https-listener to use the ssl-context from Elytron
batch
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=twoWaySSC)
run-batch
8. Enable CRL checking via distribution point
/subsystem=elytron/trust-manager=twoWayTM:write-attribute(name=certificate-revocation-list, value={})
The above cli commands result in the following additions to the standalone.xml in the Elytron subsystem:
<tls>
<key-stores>
<key-store name="twoWayKS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="dev.jks" relative-to="jboss.server.config.dir"/>
</key-store>
<key-store name="twoWayTS">
<credential-reference clear-text="password"/>
<implementation type="JKS"/>
<file path="dev.jks" relative-to="jboss.server.config.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="twoWayKM" key-store="twoWayKS">
<credential-reference clear-text="password"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="twoWayTM" key-store="twoWayTS">
<certificate-revocation-list />
</trust-manager>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="twoWaySSC" protocols="TLSv1.2" need-client-auth="true" key-manager="twoWayKM" trust-manager="twoWayTM"/>
</server-ssl-contexts>
</tls>
Any/all advice greatly appreciated!!