By default, if client certificate validation is enabled in an HTTP profile, the PKI profile used by the virtual service must contain at least one CRL. This CRL is issued by the CA that signed the client certificate. This section explains how to generate and configure CRL.
Generating CRL
Use the following OpenSSL command to generate the CRL using the key and the certificate created in the previous steps.
[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139687578113952:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')
139687578113952:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
This command may exhibit a few errors. Take the actions as required. For instance, the following commands create a file.
/etc/pki/CA/index.txt file and the file /etc/pki/CA/crlnumber with the content 01: [client-cert-auth-demo] $ touch /etc/pki/CA/index.txt [client-cert-auth-demo] $ echo 01 > /etc/pki/CA/crlnumber
Re-generating the CRL
After resolving errors if any, re-run the openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem command to generate the CRL once again.
[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem Using configuration from /etc/pki/tls/openssl.cnf
