| Sensitive filesIn this example cakey.pem  key created in the prerequisites  section, is a sensitive material 
and therefore should be kept on a secure storage device. For additional protection this file can be created with a passphrase. In this case -nodes  argument should 
not be used in the openssl commands in the prerequisites  section. If a key is created with a passphrase, the passphrase will be asked 
every time  a new client certificate is to be signed. This file is also needed to create CRL, see section below.
Client certificate clientkey.pem  key file created in the client auth certificate  section, 
is a sensitive material and therefore should be kept in a directory where only the user who runs the IDE has access.
If there is a risk that either file can leak, the debugger module should be configured with certificate revocation list (CRL) and the CRL file
should be updated with revoked certificates. In case of cakey.pem CA key leak, it's enough to remove it from the cacert.pem file and re-issue new client certificates. 
In case if clientkey.pem is compromised, it can be revoked by adding its serial number to the CRL and restarting web service to let debugger reload changes.
 
 CRL configurationDBG php debugger supports certificate revocation list (CRL) so compromised certificates would be revoked. crl.pem can be delivered and updated to the server using
other tools. Web service should be reloaded to get this CRL file read by the debugger module.
[dbg]
debugger.ssl_crl=/path/to/crl.pem
 
 Revoke certificateThe following command updates index.txt file and marks corresponding line with "R", meaning revoked
openssl ca -config openssl-ca.cnf -revoke clientcert.pem 
where 
  clientcert.pem is a client certificate to be revoked After index.txt with information about issued certificates is updated, new CRL file can be generated:
 
openssl ca -config openssl-ca.cnf -gencrl -out crl.pem
 
 
 
 |