CODEWITHSUNDEEP
sslopensslcertificateclient-certificatescertificate-revocation
Cool Breeze
Cool Breeze

Reputation: 900

Add CRL (certificate revocating list) url to certificates

I am generating the root CA using the commands below:

openssl genrsa -aes256 -out ca.key.pem -passout pass:KeyPassword 4096
openssl req -key ca.key.pem -passin pass:Password -new -x509 -days 365 -sha256 -out ca.root.pem

and then I'm creating signed user certificates (without using intermediate certificates) using the commands below:

1) Generate a key for user

openssl req -newkey rsa:2048 -nodes -keyout keyname.pem -days 365

2) Create a CSR

openssl req -out keyname.csr -key keyname.pem -new -days 365

3) Signing the key with root cert

openssl ca -batch -create_serial -config openssl.cnf -cert ca.root.pem -keyfile ca.key.pem -passin pass:KeyFinalPassword -in keyname.csr -out certname.pem

4) Generate .p12 file

openssl pkcs12 -name username -inkey keyname.pem -in certname.pem -export -out username.p12 -password pass:password

Note - I've added crlDistributionPoints = URI:http://localhost:8000/crl/distripoint.crl.pem to the openssl.cnf along with below options:

# For certificate revocation lists.
# crlDistributionPoints = URI:http://HOSTNAME/crl/distripoint.crl.pem
crlDistributionPoints = URI:http://localhost:8000/crl/distripoint.crl.pem
crlnumber         = $dir/config/crl/crlnumber
crl               = $dir/config/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 60

Note- I generated distribution.crl.pem using this tutorial

Upvotes: 3

Views: 9195

Answers (2)

Salman Siddiqui
Salman Siddiqui

Reputation: 374

for easyrsa v3+, the CRL as well as CA certificate distribution URL can be included with each signed certificate by including the information in

/usr/share/easy-rsa/3/x509-types/COMMON

Default contents of the file are;

# X509 extensions added to every signed cert

# This file is included for every cert signed, and by default does nothing.
# It could be used to add values every cert should have, such as a CDP as
# demonstrated in the following example:

#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl

# The authority information access extension gives details about how to access
# certain information relating to the CA.

#authorityInfoAccess = caIssuers;URI:http://example.net/pki/my_ca.crt

change the URI to your specific requirements after removing the leading # from line 7 and/or 12.

Upvotes: 0

Konstantin Shemyak
Konstantin Shemyak

Reputation: 2527

The crlDistributionPoints parameter must be added to the x509_extensions section of the CA you are using. (In your example, it looks like you have added this parameter to the CA section itself.)

openssl ca using the openssl.cnf with these lines adds the CRL Distribution Points extension to the issued certificate:

[ ca ]
default_ca      = CA_default

[ CA_default ]
(...other parameters...)
x509_extensions = added-extensions

[ added-extensions ]
crlDistributionPoints = URI:http://localhost:8000/crl/distripoint.crl.pem

You might want to use a custom openssl.cnf instead of the default one for req and ca commands; the default contains many example entries which may not do what you want. Here are examples of minimal openssl.cnf.

(Side note: your last command generating .p12 file is not relevant to the question; it only packs already created certificates in another format.)

Upvotes: 5

Related Questions