On 11.27.2013 01:17 am, Kent Watsen via RT wrote: >> I also managed to get my original example working, which includes the >> CRL distribution point extension in the certificate and the issuing >> distribution point extension in the CRL (with the indirect CRL flag) >> by using matching names for the CA and CRL issuer. As you mentioned, >> this relies on the fact that the default scope for a CRL entry is the >> CRL issuer unless the certificate issuer extension is present. This >> seems like a slightly 'safer' CRL delegation method in that it's >> explicit delegation. However, it does rely on several extensions >> which may not be supported by all implementations... > Hi Craig, > > I'm trying to do the same - can you share either the openssl.cnf > files or the cert/crl files the enabled you to get this working? > > The examples you provided in the thread were for Stephen Henson's, > but I want to try the more official route... > > Thanks, > Kent
I wrote a script that would regenerate the credentials in my first example when I was playing with the associated extensions. It's changed a bit since then, but it still illustrates the same points. It generates a self signed CA, a CRL Issuer credential, and two user credentials. It then revokes one of the user credentials, generates a CRL, and uses the verify command to check each user certificate against the CRL. In the example, the only common name that matters is the one for the crl issuer credential, which must match the CRL issuer extention defined for the user certificates in the openssl.cnf file (CN=CRL Issuer). As written, both user credentials successfully validate because the CRL generated does not include the issuer extension on each of its entries. If you choose common names such that the CA credential, CRL issuer credential, and CRL issuer named in the user certificates are all the same, the verify command will successfully recognize that one of the user credentials has been revoked. --- example #!/bin/bash mkdir certsdb certs db private crl rm certsdb/* certs/* db/* private/* crl/* touch db/index.txt echo 01 > db/serial echo 01 > db/crl_serial echo "Self signed CA" echo "Subject: C=US, O=example, CN=root" openssl req -config openssl.cnf -x509 -nodes \ -extensions ca_self_sign_extensions \ -newkey rsa \ -out certs/ca.pem \ -keyout private/ca.pem echo "CRL issuer certificate" echo "Subject: C=US, O=example, CN=CRL Issuer" openssl req -config openssl.cnf -new -nodes \ -newkey rsa \ -out crl-issuer.req \ -keyout private/crl-issuer.pem openssl ca -config openssl.cnf \ -name ca_example \ -extensions ca_crl_issuer_sign_extensions \ -out certs/crl-issuer.pem \ -infiles crl-issuer.req echo "Client certificate" echo "Subject: CN=happy" openssl req -config openssl.cnf -new -nodes \ -newkey rsa \ -out happy.req \ -keyout private/happy.pem openssl ca -config openssl.cnf \ -name ca_example \ -extensions ca_user_sign_extensions \ -out certs/happy.pem \ -infiles happy.req echo "Client certificate" echo "Subject: CN=revoked" openssl req -config openssl.cnf -new -nodes \ -newkey rsa \ -out revoked.req \ -keyout private/revoked.pem openssl ca -config openssl.cnf \ -name ca_example \ -extensions ca_user_sign_extensions \ -out certs/revoked.pem \ -infiles revoked.req echo "Revoking..." openssl ca -config openssl.cnf \ -name ca_example \ -crl_reason keyCompromise \ -revoke certs/revoked.pem echo "Generating CRL..." openssl ca -config openssl.cnf -gencrl \ -name crl_example \ -crlexts crl_extensions \ -out crl/crl.pem echo "Verifying..." openssl verify \ -crl_check -extended_crl \ -CAfile certs/ca.pem \ -CRLfile crl/crl.pem \ -untrusted certs/crl-issuer.pem \ certs/happy.pem \ certs/revoked.pem --- openssl.cnf [ ca_example ] dir = . certs = $dir/certs new_certs_dir = $dir/certsdb certificate = $dir/certs/ca.pem private_key = $dir/private/ca.pem database = $dir/db/index.txt serial = $dir/db/serial name_opt = ca_default cert_opt = ca_default default_md = default default_days = 365 policy = ca_policy_match preserveDN = no email_in_dn = no [ ca_policy_match ] countryName = match organizationName = match commonName = supplied [ req ] distinguished_name = req_distinguished_name x509_extensions = ca_self_sign_extensions [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 organizationName = Organization Name (eg, company) organizationName_default = example commonName = Common Name (server/email identifier) commonName_default = NAME commonName_max = 64 [ ca_self_sign_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always subjectAltName = email:[email protected] keyUsage = critical,keyCertSign basicConstraints = critical,CA:TRUE,pathlen:0 [ ca_crl_issuer_sign_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always issuerAltName = issuer:copy keyUsage = critical,cRLSign basicConstraints = critical,CA:FALSE [ ca_user_sign_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always issuerAltName = issuer:copy basicConstraints = critical,CA:FALSE keyUsage = critical,digitalSignature crlDistributionPoints = crl_dp [ crl_dp ] fullname = URI:http://example.com/example.crl CRLissuer = dirName:crl_issuer_dn [ crl_issuer_dn ] C=US O=example CN=CRL Issuer [ crl_example ] dir = . certificate = $dir/certs/crl-issuer.pem private_key = $dir/private/crl-issuer.pem database = $dir/db/index.txt crlnumber = $dir/db/crl_serial default_md = default default_crl_days = 30 [ crl_extensions ] authorityKeyIdentifier = keyid:always,issuer:always issuerAltName = issuer:copy issuingDistributionPoint = @crl_issuing_dp [ crl_issuing_dp ] fullname = URI:http://example.com/example.crl indirectCRL=TRUE ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
