Sensitive files
In this example cakey.pem key created in the prerequisites section, is a sensitive material
and therefore should be kept on a secure storage device. For additional protection this file can be created with a passphrase. In this case -nodes argument should
not be used in the openssl commands in the prerequisites section. If a key is created with a passphrase, the passphrase will be asked
every time a new client certificate is to be signed. This file is also needed to create CRL, see section below.
Client certificate clientkey.pem key file created in the client auth certificate section,
is a sensitive material and therefore should be kept in a directory where only the user who runs the IDE has access.
If there is a risk that either file can leak, the debugger module should be configured with certificate revocation list (CRL) and the CRL file
should be updated with revoked certificates. In case of cakey.pem CA key leak, it's enough to remove it from the cacert.pem file and re-issue new client certificates.
In case if clientkey.pem is compromised, it can be revoked by adding its serial number to the CRL and restarting web service to let debugger reload changes.
CRL configuration
DBG php debugger supports certificate revocation list (CRL) so compromised certificates would be revoked. crl.pem can be delivered and updated to the server using
other tools. Web service should be reloaded to get this CRL file read by the debugger module.
[dbg]
debugger.ssl_crl=/path/to/crl.pem
Revoke certificate
The following command updates index.txt file and marks corresponding line with "R", meaning revoked
openssl ca -config openssl-ca.cnf -revoke clientcert.pem
where
- clientcert.pem is a client certificate to be revoked
After index.txt with information about issued certificates is updated, new CRL file can be generated:
openssl ca -config openssl-ca.cnf -gencrl -out crl.pem
| 
Debugger and IDE configuration
