Re: [openssl-users] Offline Root CA and CRL generation
Hi Erwann, Am 15.03.2013 17:36, schrieb Erwann Abalea: Yes. That's one possible solution (possible from a PKI point of view). Another solution would be to play with indirect CRLs. That involves Thank you very much for your explanations, I will try these scenarios. Thanks, Sven __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Offline Root CA and CRL generation
Le 15/03/2013 17:01, Sven Dreyer a écrit : Hi Erwann, Am 15.03.2013 16:16, schrieb Erwann Abalea: You can generate a self-issued certificate dedicated to CRL signing (same name, different key, signed by your root). That's acceptable for RFC5280, but you'll have to check with your clients. And find a way to distribute this certificate. I'm not sure whether I got it right. My Root CA is named "Foobar Root CA" with keypair (A). I would then let "Foobar Root CA" issue a certificate for "Foobar Root CA" with keypair (B) and attribute "keyUsage = cRLSign". I would then use the certificate for keypair (B) to sign the CRL. Then, I would distribute the certificates for "Foobar Root CA" (A) and "Foobar Root CA" (B) to my clients' trusted CA stores. Is this the way you pointed me to? Yes. That's one possible solution (possible from a PKI point of view). Another solution would be to play with indirect CRLs. That involves issuing a certificate (with a different name, for example "Foobar CRL Signer") dedicated to CRL signing, specifying its name in the CRLDistributionPoints of your issued certificates, and sign the CRL with this certificate+private key (Foobar CRL Signer). That CRL must have a critical IssuingDistributionPoint extension with the indirectCRL set to true, and at least the first revocation entry must have an extension indicating its issuer name (Foobar Root CA). "Foobar CRL Signer" may be issued under a completely different trust chain. I don't know how well this second solution is supported by clients, and I suppose that the "Foobar CRL Signer" certificate should itself have a CRLDP extension pointing to a valid CRL, etc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Offline Root CA and CRL generation
Hi Erwann, Am 15.03.2013 16:16, schrieb Erwann Abalea: You can generate a self-issued certificate dedicated to CRL signing (same name, different key, signed by your root). That's acceptable for RFC5280, but you'll have to check with your clients. And find a way to distribute this certificate. I'm not sure whether I got it right. My Root CA is named "Foobar Root CA" with keypair (A). I would then let "Foobar Root CA" issue a certificate for "Foobar Root CA" with keypair (B) and attribute "keyUsage = cRLSign". I would then use the certificate for keypair (B) to sign the CRL. Then, I would distribute the certificates for "Foobar Root CA" (A) and "Foobar Root CA" (B) to my clients' trusted CA stores. Is this the way you pointed me to? Thanks, Sven __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Offline Root CA and CRL generation
X.509 allows for a self-signed certificate dedicated to CRL signing (with the same name, of course). But that's not acceptable for RFC5280. You can generate a self-issued certificate dedicated to CRL signing (same name, different key, signed by your root). That's acceptable for RFC5280, but you'll have to check with your clients. And find a way to distribute this certificate. -- Erwann ABALEA Le 15/03/2013 15:53, Sven Dreyer a écrit : Hi List, I would like to setup an OpenSSL-based offline Root CA. Certificates issued by this Root CA contain a CDP. I would like to issue CRLs every 3 days, which would mean that I would have to take the offline Root CA online each 3 days. Is there a way to let the Root CA issue a "CRL signer certificate", which can then run on a different machine for CRL signature? For OCSP it seems to be possbile (RFC2560, 2.6 - "OCSP Signature Authority Delegation"). Does anybody know whether it's possible for CRL's using OpenSSL? Thanks for any advice, Sven __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
