Managing CRLs in RHEL{6,7}

[warron.french]

Hello I have a case where I need to be able to manage CRLs for various applications on a physically isolated network for various websites and applications.

The CRLs come in the form of files; I think they end in the extension .crl, but it is also possible that they end with the extension of .pem.

Can someone please provide a document, Blog, or something useful in order to accomplish this task.

I need to be able to do this for both RHEL6 and RHEL7 machines; if browsers are in question, we are using Google Chrome and Firefox, using RPMs.

Thank you for your assistance in advance.

[aks]

Have you looked at the crlutil utility? I think it'll do what you need on NSS databases (which I think firefox uses, not sure about chrome).

[warron.french]

Hi again aks, no, I didn't know that tool exist.

Just yesterday I learned about another tool called certmgr and it looks like it might handle CRLs and CTLs.

I have a cohort who has to handle this similar tasks for Windows Servers and Windows "workstations."

I cannot find a man page on crtutil, but I just found a reference of https://linux.die.net/man/8/fetch-crl , what do you know about that tool, if anything?

I am relatively novice with respect to PKI, but it is something I have been trying to ease into; mostly using OpenSSL and everything it offers.

Thanks again aks,

[aks]

Sorry for the delay in replying.
I image it's in the nss-* packages (probably nss-tools or possibly nss-util).

Sorry, not familiar with fetch-crl.

[warron.french]

aks, no problem, thanks for replying.