Idea Details

Remove CRL Requirement for Server SSL Certificates

Last activity 06-13-2019 10:02 AM
kenpe02's profile image
08-10-2016 06:59 AM

When configuring PAM to use a new SSL certificate issued by a third party Certification Authority, it is currently mandatory to import CRLs for any CA certificates that are in the chain of the PAM SSL certificate.

However, the CRLs typically expire after about a week, and are no longer used by PAM once the new SSL certificate is in place.


My idea is to make it so that CRL import is not required when configuring a server-side SSL certificate on PAM.

CRL import (or OCSP) should only be required if client-side certificate authentication (e.g. PKI Smartcards) is being used.


07-24-2018 05:54 AM

Hi Andreas


If you look at the latest documentation for creating a self-signed cert or cert request, you'll see that the section about creating a cert request says that you just have to import the cert response. There is no requirement here to import either the root or issuing certs or any CRLs.


I did a fresh deployment of PAM 3.x (can't remember the exact version) at a customer site, and we followed those instructions (as I wanted to verify them myself). The certificate response that we received from their PKI was imported into PAM and verified successfully. We never imported any root CA certs or CRLs.


I think the only advantage of importing root and intermediate CA certs is that PAM could then include them in the "server hello / server certificate" message during the SSL handshake, which might make it easier for the client to build a trust path. I see no reason to import any CRLs.


As long as you're not doing any client certificate authentication, it shouldn't be any issue.





07-24-2018 05:16 AM

Hello Pearse,

I was wondering if you could provide further details about your last update - PAM is using SSL out of the box using a self signed certificate, right?

But to my experience, even in 3.x it is necessary to follow your initially described scenario when replacing the self signed certificate with a CA issued one, no?

06-11-2018 12:59 PM

It is no longer necessary to import either CA certificates or CRLs in PAM 3.x when configuring server-side SSL in PAM.

So this idea can be closed/resolved.