SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates VMC certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


Management of revocation lists in Apache

Old method: CRLs

If you are using strong authentication with client certificates, you need to regularly check the validity of those certificates. To do so, you have to consult the revocation list of each accepted certificate.

If you followed our instructions, you must have already identified the acceptable issuers with the instruction SSLCACertificateFile or SSLCACertificatePath. To do so, you have gone through the certification chain, starting from the certificate issuing your certificates (intermediate certificates).
Now, you have to go through this chain again and note, at each step, the URL of the CRL for each certificate. For example, if you are using our TBS X509 PKI PME offer, your issuer certificate is TBS X509 CA persona 3. You'll then get the following list: 
http://crl.sectigo.com/TBSX509CAPersona3RSA.crl
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
You'll then have to make those CRLs available for Apache to check them. To do so, we'll work in the Apache standard repertory, that usually is /etc/httpd/conf/ssl.crl/

Use then the Apache instruction: 
SSLCARevocationPath conf/ssl.crl/


Those CRLs must constantly be up-to-date. So instead of updating them manually, we'll put it in a CRON that will be launched every hour. It will retrieve all the CRLs of the chain (with curl) and convert them into PEM (with openssl). Then it will create the hash links (with make by using Makefile supplied be Apache).

Here is our file /etc/cron.hourly/maj-crl-httpd applicable to our example:

cd /etc/httpd/conf/ssl.crl

# CHAINE TBS X509 persona pour PKI PME
curl -s http://crl.sectigo.com/TBSX509CAPersona3RSA.crl | openssl crl -inform DER -out TBSX509CApersona3RSA.crl
curl -s http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl | openssl crl -inform DER -out USERTrustRSACertificationAuthority.crl


make > /dev/null
The result is as followed: 
$ ll /etc/httpd/conf/ssl.crl
-rw-r--r--    1 root     root          320 Aug 24  1999 README.CRL
-rw-r--r--    1 root     root         1568 Aug 24  1999 Makefile
-rw-r--r--    1 root     root          841 Feb 11 14:10 TBSX509CApersona3RSA.crl
-rw-r--r--    1 root     root          857 Feb 11 14:10 USERTrustRSACertificationAuthority.crl
lrwxrwxrwx    1 root     root           46 Feb 11 14:10 9ec3a561.r0 -> USERTrustRSACertificationAuthority.crl
lrwxrwxrwx    1 root     root           20 Feb 11 14:10 4840af4a.r0 -> TTBSX509CApersona3RSA.crl
Now ask Apache to consult those CRLs with the instruction 
SSLCARevocationPath conf/ssl.crl/

New method: OCSP

This method makes it possible to verify the validity of the certificate in real time by directly questioning the certification authority. To activate this protocol, here are the directives to be implemented in your Apache configuration file:

    SSLVerifyClient require
    SSLOCSPEnable on

Also, you must activate the OCSP Stapling to directly provide a certificate of validity on connection (more info). OCSP Stapling is supported at from Apache version 2.4+. Here is an example of OCSP Stapling configuration:

    SSLUseStapling on
    SSLStaplingCache "shmcb:logs/stapling_cache(128000)"