I wanted to use certificate revocation lists in my mariadb database so that I can deny certain clients should i revoke their certificate. I created a certificate authority with openssl using a root CA and intermediate CA that signs the server and client certs (used this guide and also created the crl).
I use the ca-chain certificate (combined intermediate-cert and root-cert) in the mariadb server settings however when i add the ssl-crl file, it shows lost connection to server at 'reading authorisation packet', and using Heidi Sql it says the root certificate is not trusted. I tried replacing the ca-chain with just the intermediate cert but the error still occurs.
Is there any way I can fix this? I would like to use the CRL in my server but it seems this is the only cause.
[Edit] When i use systemctl status mariadb, it says [Warning] Aborted connection to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication), and through HeidiSQL on my windows pc, it says the certificate is not trusted. The CRL only contains a certificate I used for testing and I am using a different one for connecting, which works fine. I can use openssl verify -check_crl with the entire chain and the client certificate which comes out as OK, and my ssl version is OpenSSL 1.1.1g, 21 April 2020.
[Edit 2] So using the same article mentioned before, i created a certificate authority but instead of using a root CA and an intermediate one, i simply forewent the intermediate one, using all the intermediate settings for this one. I then created server certs and client certs, changing the settings in mariadb to use these. This worked now and i could revoke a certificate and FLUSH SSL in mariadb so that the new crl was used without restarting the server. The question is how would I get it to work with the certificate chain?
Solution
Since I was using a root CA and intermediate CA, I had concatenated them into a ca-chain certificate and set that as ssl-ca. This was required to validate the entire chain, but for the crl option I only set the intermediate crl. I tried combining the root crl and intermediate crl into a crl-chain file and set this, and this worked :)
I'm going to try put the root crl into the ca-chain certificate to see if i can set crl as only the intermediate crl as regenerating the intermediate one would also require regenerating the chain, same with the root crl, but this seems solved now.