Introduction
Essentially, this toturial illustrates how to generate self-signed Root CA, the intemediate CA underneath it and the Certificate generated by I-CA. Both Intemediate CA and Certificate’s Certificate Revocation List (CRL) will be storing in OpenLDAP.
Basically all you need to do for building a Public Key Infrastructure are:
- Step 1: Generate a Private Key.
- Step 2: Generate a CSR (Certificate Signing Request)
- Step 3: Generating a Self-Signed Certificate.
- Step 4: Convert the CRT to PEM format.
- Step 5: Configure identity to use the server.pem and private key.
Prerequisites
OpenLDAP server installed, for MAC OSX installation, you may reference Setting up OpenLDAP in OSX
Openssl 3.0.2 installed with homebrew
- Setup local directories for storing certificates
$ tree tls
tls
├── certs
├── newcerts
└── private
certs: This will be used to keep copies of all of the certificates that we issue with our CA.private: This will be used to keep a copy of the CA certificate’s private key.
Setup Root CA
cd tls
echo 01 > serial
serialfile is used to keep track of the last serial number that was used to issue a certificate
touch index.txt
index.txtfile which is a database of sorts that keeps track of the certificates that have been issued by the CA.
Now the diretory would be
$ tree .
.
├── certs
├── index.txt
├── newcerts
├── private
└── serial
2 directories, 2 files
Configure openssl.cnf for Root CA Certificate
$ cp /opt/homebrew/etc/openssl@1.1/openssl.cnf .
Make changes according to your business needs.
Create CA’s private key secret encryption file.
$ echo "my-ca-private-secret-key" > mycapass
$ openssl enc -aes256 -salt -in mycapass -out mycapass.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
Create CA’s private key with secret
$ openssl genrsa -des3 -passout file:mycapass.enc -out private/cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
..........++
..................................................................................................................................................................................................................................................++
e is 65537 (0x10001)
Create Root CA certificate with v3_ca extenssions
$ openssl req -new -x509 -days 3650 -passin file:mycapass.enc -config openssl.cnf -extensions v3_ca -key private/cakey.pem -out certs/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Ystacks]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:certificate-manager
Email Address []:admin@ystacks.com
Verify CA Certificate
$ openssl x509 -in certs/cacert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13020064171232927499 (0xb4b08f6167211f0b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=Ystacks, CN=certificate-manager/emailAddress=admin@ystacks.com
Validity
Not Before: May 8 01:57:59 2022 GMT
Not After : May 5 01:57:59 2032 GMT
Subject: C=CN, ST=Beijing, L=Beijing, O=Ystacks, CN=certificate-manager/emailAddress=admin@ystacks.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
....
....
X509v3 extensions:
X509v3 Subject Key Identifier:
6A:23:82:FC:AB:98:E7:07:43:18:97:D8:BC:C1:A0:FE:49:F0:51:53
X509v3 Authority Key Identifier:
keyid:6A:23:82:FC:AB:98:E7:07:43:18:97:D8:BC:C1:A0:FE:49:F0:51:53
X509v3 Basic Constraints: critical
CA:TRUE
Intermediate CA Certificate setup
Separate intermediate CA Certificate bundle.
$ mkdir -p intermediate/{certs,csr,private}
$ touch intermediate/index.txt
$ echo 01 > intermediate/serial
$ echo 01 > intermediate/crlnumber
$ tree .
.
├── certs
│ └── cacert.pem
├── index.txt
├── intermediate
│ ├── certs
│ ├── crlnumber
│ ├── csr
│ ├── index.txt
│ ├── private
│ └── serial
├── newcerts
├── mycapass
├── mycapass.enc
├── openssl.cnf
├── private
│ └── cakey.pem
└── serial
6 directories, 10 files
Gererate Root CA CRL file
$ openssl ca -config openssl.cnf -passin file:mycapass.enc -gencrl -keyfile private/cakey.pem -cert certs/cacert.pem -out root.crl.pem
Using configuration from openssl.cnf
# convert PEM to DER format
$ openssl crl -inform PEM -in root.crl.pem -outform DER -out root.crl
# Check CRL content
$ openssl crl -inform DER -in root.crl -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=Beijing/L=Beijing/O=Ystacks/CN=certificate-manager/emailAddress=admin@ystacks.com
Last Update: May 8 03:56:31 2022 GMT
Next Update: Jun 7 03:56:31 2022 GMT
CRL extensions:
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
6f:c9:73:3b:a4:24:bf:34:2a:17:d3:2c:0b:56:74:c3:aa:f4:
....
....
Configure openssl.cnf for Intermediate Root CA Certificate
Copy Root CA Certificate openssl.cnf to intermediate directory and make changes accordingly
$ diff openssl.cnf intermediate/openssl.cnf
41c44,45
< dir= ./ # Where everything is kept
---
>
> dir = ./ # Where everything is kept
47,48c51,53
< new_certs_dir = $dir/newcerts # default place for new certs.
< certificate = $dir/certs/cacert.pem # The CA certificate
---
> new_certs_dir = $dir/newcerts # default place for new certs.
>
> certificate = $dir/certs/intermediate.cacert.pem # The CA certificate
53c58
< private_key = $dir/private/cakey.pem # The private key
---
> private_key = $dir/private/intermediate.cakey.pem # The private key
78c83
< policy = policy_match
---
> policy = policy_anything
Generate Intermediate CA key
$ openssl genrsa -des3 -passout file:mycapass.enc -out intermediate/private/intermediate.cakey.pem 4096
Generating RSA private key, 4096 bit long modulus
.............................................................................................................................................................................++
..................................................................++
e is 65537 (0x10001)
Create immediate CA Certificate Signing Request (CSR
$ openssl req -new -sha256 -config intermediate/openssl.cnf -passin file:mycapass.enc -key intermediate/private/intermediate.cakey.pem -out intermediate/csr/intermediate.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Ystacks]:
Organizational Unit Name (eg, section) []:fundation
Common Name (e.g. server FQDN or YOUR name) []:keys
Email Address []:fundation-admin@ystacks.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Sign and generate intermediate CA certificte
$ openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 2650 -notext -batch -passin file:mycapass.enc -in intermediate/csr/intermediate.csr -out intermediate/certs/intermediate.cacert.pem
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 8 02:43:53 2022 GMT
Not After : Aug 9 02:43:53 2029 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Ystacks
organizationalUnitName = fundation
commonName = keys
emailAddress = fundation-admin@ystacks.com
X509v3 extensions:
X509v3 Subject Key Identifier:
86:62:98:57:59:B5:1B:D0:43:86:68:3D:5F:71:83:FA:D4:AE:B7:84
X509v3 Authority Key Identifier:
keyid:6A:23:82:FC:AB:98:E7:07:43:18:97:D8:BC:C1:A0:FE:49:F0:51:53
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Aug 9 02:43:53 2029 GMT (2650 days)
Write out database with 1 new entries
Data Base Updated
Issue Certificates from Intermediate CA with CSR
Create end entities certificate private key file
$ mkdir intermediate/entities
$ cd intermediate
$ echo "my-server-ssl-certificate-secret-key" > entities/serverkeypass
$ openssl enc -aes256 -salt -in entities/serverkeypass -out entities/serverkeypass.enc
enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:
$ tree intermediate
intermediate
├── certs
│ ├── ca-chain-bundle.cert.pem
│ └── intermediate.cacert.pem
├── crlnumber
├── csr
│ └── intermediate.csr
├── entities
│ ├── serverkeypass
│ └── serverkeypass.enc
├── index.txt
├── openssl.cnf
├── private
│ └── intermediate.cakey.pem
└── serial
4 directories, 10 files
Create server Certificate private key
$ openssl genrsa -des3 -passout file:entities/serverkeypass.enc -out entities/server.key.pem 4096
Generating RSA private key, 4096 bit long modulus
...........................................................................................................................++
....................................++
e is 65537 (0x10001)
Create server CSR with encoded private key
$ openssl req -new -passin file:entities/serverkeypass.enc -key entities/server.key.pem -out entities/server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:HeiLongJiang
Locality Name (eg, city) []:Harbin
Organization Name (eg, company) []:ystacks
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:www
Email Address []:admin@www.ystacks.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
Configure openssl x509 extensions for server certificate
$ cat entities/server_cert_ext.cnf
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 10.10.10.10
DNS.1 = www.fundation.ystacks.com
DNS.2 = www.fundation.local
sign Server CSR with Subject Alternative Name extension
Intermediate CA private was generate with encoded file, needs to privide the secret key file path
$ openssl x509 -req -in entities/server.csr -CA certs/ca-chain-bundle.cert.pem -CAkey private/intermediate.cakey.pem -passin file:../mycapass.enc -out entities/server.cert.pem -CAcreateserial -days 365 -sha256 -extfile entities/server_cert_ext.cnf
Signature ok
subject=/C=CN/ST=HeiLongJiang/L=Harbin/O=ystacks/CN=www/emailAddress=admin@www.ystacks.com
Getting CA Private Key
Verify Server Certificate content
$ openssl x509 -in entities/server.cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13126094179667691949 (0xb629411c836a49ad)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, O=Ystacks, OU=fundation, CN=keys/emailAddress=fundation-admin@ystacks.com
Validity
Not Before: May 8 04:13:42 2022 GMT
Not After : May 8 04:13:42 2023 GMT
Subject: C=CN, ST=HeiLongJiang, L=Harbin, O=ystacks, CN=www/emailAddress=admin@www.ystacks.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
...
...
...
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
76:66:17:60:C9:95:39:78:0D:A6:E7:6E:2F:FC:46:F9:7E:15:A5:2F
X509v3 Authority Key Identifier:
keyid:86:62:98:57:59:B5:1B:D0:43:86:68:3D:5F:71:83:FA:D4:AE:B7:84
DirName:/C=CN/ST=Beijing/L=Beijing/O=Ystacks/CN=certificate-manager/emailAddress=admin@ystacks.com
serial:01
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
IP Address:10.10.10.10, DNS:www.fundation.ystacks.com, DNS:www.fundation.local
...
...
Gerneate Intemediate CA CRL
$ openssl ca -config openssl.cnf -passin file:../mycapass.enc -gencrl -keyfile private/intermediate.cakey.pem -cert certs/ca-chain-bundle.cert.pem -out intermediate-ca.crl.pem
Using configuration from openssl.cnf
# convert to DER format
$ openssl crl -inform PEM -in intermediate-ca.crl.pem -outform DER -out intermediate-ca.crl
# verity the CRL content
$ openssl crl -inform DER -in intermediate-ca.crl -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=Beijing/O=Ystacks/OU=fundation/CN=keys/emailAddress=fundation-admin@ystacks.com
Last Update: May 8 04:18:45 2022 GMT
Next Update: Jun 7 04:18:45 2022 GMT
CRL extensions:
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
7f:99:3b:f0:ae:e4:74:06:f2:e8:87:e0:29:4b:01:29:88:1e:
20:3d:41:b2:1f:58:e4:0d:f1:e0:cf:7e:5d:e9:83:a5:8b:9f:
72:6f:33:63:51:12:af:c4:9b:cb:df:87:d4:d8:ce:cb:b6:7d:
64:72:dd:00:46:6b:bb:26:d1:2f:a8:ac:1a:b2:c4:79:d2:ac:
58:bd:7e:cf:c4:16:07:2d:a9:3c:c2:a7:ff:61:78:81:ed:2c:
a7:71:cc:34:ff:2a:6c:36:8d:a0:88:b0:ad:a6:51:03:bf:b4:
2d:f5:f7:d6:3d:26:93:ec:09:fd:2b:36:62:7b:4a:16:66:54:
a6:14:46:86:5a:2f:b9:a5:ec:b7:d9:14:27:8f:e0:5e:a8:d7:
0d:a1:d7:0f:76:c5:39:29:fd:18:20:b5:cf:cc:de:8a:37:6b:
12:73:76:61:93:fb:e6:63:4c:19:49:f5:6f:50:db:a7:31:f6:
45:42:67:e4:64:26:24:66:22:04:3c:e6:91:89:50:11:d1:15:
21:99:57:07:b0:80:88:b5:81:c1:6c:80:ed:b4:dd:e0:75:94:
d9:f4:73:b8:8a:7c:98:f5:ac:61:15:c1:86:4d:52:6b:b7:23:
bd:a2:ea:72:d4:5d:95:cd:91:4b:47:54:88:1c:9e:f6:08:42:
b6:c6:83:f3:8a:79:89:80:0d:69:95:ac:10:3a:19:55:92:eb:
fa:e9:f1:b7:f7:ba:e6:8c:e2:95:ae:cb:0a:d2:b7:0e:e7:fc:
e2:78:75:24:6b:a0:af:22:b2:69:ea:81:cd:55:d1:45:00:68:
cb:b4:90:af:f3:d6:7b:bb:8a:78:b9:72:b0:67:27:c4:64:e4:
74:6b:0f:e3:08:a3:d9:ed:64:42:43:be:d7:e7:8b:e9:ca:07:
18:0c:f2:8a:38:41:c8:d9:6d:6e:80:49:85:c1:73:df:f9:82:
a5:55:62:98:f2:97:d4:56:51:1f:ff:ee:da:f0:90:eb:c0:7e:
79:42:a2:d7:bc:5f:57:4e:42:30:ce:5c:dc:14:2a:c9:3e:72:
65:09:ab:34:72:60:3e:4b:e7:ad:6b:66:aa:32:44:24:19:70:
1c:6f:3f:63:2a:b6:7c:05:de:f3:55:1c:1b:46:8a:da:b6:c8:
23:e1:c8:16:07:00:34:b0:5e:49:86:43:e7:4e:4c:a7:c0:9a:
5b:e2:34:aa:80:c6:7b:3a:1d:a2:70:71:05:48:f3:f4:d4:d3:
30:53:6e:5e:79:d0:7c:87:09:5c:ab:5a:ee:da:a6:70:17:dd:
14:00:27:11:10:6b:ee:5b:fe:eb:42:47:b8:fe:b9:80:f0:cb:
42:54:ca:32:fe:11:ce:ea
Revoke certificate using OpenSSL
$ openssl ca -config openssl.cnf -passin file:../mycapass.enc -gencrl -keyfile private/intermediate.cakey.pem -cert certs/ca-chain-bundle.cert.pem -revoke entities/server.cert.pem
Using configuration from openssl.cnf
-----BEGIN X509 CRL-----
MIIC2jCBwwIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCQ04xEDAOBgNV
BAgMB0JlaWppbmcxEDAOBgNVBAoMB1lzdGFja3MxEjAQBgNVBAsMCWZ1bmRhdGlv
bjENMAsGA1UEAwwEa2V5czEqMCgGCSqGSIb3DQEJARYbZnVuZGF0aW9uLWFkbWlu
QHlzdGFja3MuY29tFw0yMjA1MDgwNDI1MzlaFw0yMjA2MDcwNDI1MzlaoA4wDDAK
BgNVHRQEAwIBAjANBgkqhkiG9w0BAQUFAAOCAgEACkZG1vULApJeQ/dXpX/oqLIZ
L3bWqRcuC9g1G2w4+r/DirsQp9NORGGf8hai9dJlhoUEqb44XI18UXtF251KwGFR
HywCtCNdW1L2oGeWNU650gqaajSYaefuzVG7brthNo1w/nG/ysiP4k4o9iM1SwbJ
HWkROQWvR7U+mrY9e9OiXlzNgo1IeB950XWWjAxeFEDCcy4Yn1Etz0G6IfmhxmMB
ehfQmpjlNUl+7WTyyC+DJ1nTtiGrURrnfJayW7rguNlIVtH80LXwGgv45RCVSx9g
myZXKvNz4JB7mX56+KZOWq+8KpXKqPpW7+gmlKNwJfCzlhR8HrTZnIkDX8jes92S
+uI/Rq/qk5JrDAYHHJlhtf60LZlb22Z0t42r+Ln2YMJWbU5tff28csOB+MK/0LCv
bu4VBo/J/z7OLsU4XUrwzpeNqfScnmcCgOc2ogoyF6jcl+O6BI9W4ZDQFpx1rmxZ
ZMEmu8eUw6kHeF9jbq02sF/KjDMHhC+GOIP/TPfgEjo9DaROwrsMB/r6a01GlquD
XEztaylAwIiPevcGE/T7HD43jsBTQdvdn2mJw2MGPsvXBaGWQRAmHJDUhh1Gnx4q
zP7S4q8+a8SlNiYzJYPCAlWGb4KqaZSbisMGVb9suIptib4KJ4eFPqyEe1crRWzW
fvQblxBbp1AsepNdTs0=
-----END X509 CRL-----
Adding Entry with serial number B629411C836A49AD to DB for /C=CN/ST=HeiLongJiang/L=Harbin/O=ystacks/CN=www/emailAddress=admin@www.ystacks.com
Revoking Certificate B629411C836A49AD.
Data Base Updated
# Update intermediate CA CRL file and check the content
$ openssl ca -config openssl.cnf -passin file:../mycapass.enc -gencrl -keyfile private/intermediate.cakey.pem -cert certs/ca-chain-bundle.cert.pem -out intermediate-ca.crl.pem
Using configuration from openssl.cnf
$ openssl crl -in intermediate-ca.crl.pem -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=Beijing/O=Ystacks/OU=fundation/CN=keys/emailAddress=fundation-admin@ystacks.com
Last Update: May 8 04:53:36 2022 GMT
Next Update: Jun 7 04:53:36 2022 GMT
CRL extensions:
X509v3 CRL Number:
3
Revoked Certificates:
Serial Number: B629411C836A49AD
Revocation Date: May 8 04:25:39 2022 GMT
Signature Algorithm: sha1WithRSAEncryption
8a:a6:07:82:29:1e:72:9b:d3:59:e3:93:20:c9:cf:41:7d:7b:
8c:94:e1:90:8e:64:58:74:c1:04:85:ec:df:ba:f5:a2:70:59:
1d:a2:56:a7:23:92:06:dc:6e:b8:5e:00:e4:ce:d7:42:3f:04:
09:0d:71:10:fc:4a:7b:f1:ce:16:9a:b8:c5:48:d6:0c:a0:46:
38:39:1e:a2:d9:2f:e2:28:0f:ff:ac:1b:f3:68:6b:d4:f6:e5:
0e:d8:fe:a3:7e:8b:b1:8a:61:3d:91:ba:43:69:42:e5:7f:9a:
35:ad:82:f6:eb:61:3c:bb:bb:77:49:93:00:28:ab:e2:33:1d:
98:b0:af:8c:49:cf:2b:24:85:ac:4f:48:f2:d8:86:65:3c:72:
49:66:74:6a:3f:d0:66:ec:1d:3a:77:fd:98:56:6e:3f:d9:08:
fd:3e:eb:2f:d8:f0:74:e2:b6:63:8f:85:77:ca:58:52:9b:18:
ef:11:b3:45:19:ac:0f:d3:3d:bf:a4:b7:a6:3c:8f:02:93:9c:
c2:c4:de:d4:5e:bb:bf:38:16:aa:fd:a7:fb:a7:5c:f9:c0:24:
3d:59:00:68:91:79:69:34:2d:b2:66:c3:79:90:20:05:4a:67:
34:42:8a:1f:4d:93:2c:82:2d:f1:7d:b5:12:55:91:cc:25:a7:
58:21:e2:73:1c:5e:cc:7c:a0:eb:f0:d1:3a:3c:85:b3:03:81:
c2:19:78:e3:ca:b1:85:d1:ab:5e:24:28:3b:89:b9:c2:1f:ce:
38:21:28:45:be:8e:13:b2:d3:9f:ae:86:8b:e2:1b:71:11:7a:
45:57:01:84:02:d4:59:35:56:3f:d1:75:0f:de:f6:35:36:37:
6c:19:d2:1d:e8:fb:5b:c0:4e:f5:83:c5:82:39:4c:1d:c0:00:
ff:56:2d:72:b5:aa:83:ac:38:4b:62:f1:c4:5d:4b:8d:84:01:
1e:93:22:7f:29:43:b4:8b:50:5b:d6:b6:62:42:c0:e0:c9:3a:
d3:77:0d:8a:5f:16:6d:9d:99:40:67:d8:34:52:77:c0:68:d8:
8b:13:bf:37:d2:98:c3:b8:2f:ae:98:a0:9f:54:f7:bc:20:9f:
3f:b3:46:e9:f6:b7:d1:eb:12:07:50:5e:c3:81:e9:34:99:dd:
fc:cc:71:c7:ff:60:dc:68:f0:0f:1a:17:8b:6b:28:21:18:16:
89:47:1d:e9:09:a2:7d:f5:b0:9e:ee:72:bd:e6:1d:81:4f:af:
aa:d4:c2:8d:39:3a:11:55:90:24:70:da:57:2c:dc:a0:87:c0:
2b:ab:61:e4:b9:51:a0:e9:0c:26:92:ce:78:3c:eb:15:09:48:
ca:35:ed:96:a5:59:66:70
Intermediate CA’s database index file also updated
$ cat index.txt
R 230508041342Z 220508042539Z B629411C836A49AD unknown /C=CN/ST=HeiLongJiang/L=Harbin/O=ystacks/CN=www/emailAddress=admin@www.ystacks.com
and Let’s verify the server status
# combine intermediate CA's CRL with ca-chain
$ cat intermediate-ca.crl.pem certs/ca-chain-bundle.cert.pem > /tmp/ca-chain-with-crl.pem
# verity server certificate status
$ openssl verify -verbose -CAfile /tmp/ca-chain-with-crl.pem -crl_check entities/server.cert.pem
entities/server.cert.pem: C = CN, ST = HeiLongJiang, L = Harbin, O = ystacks, CN = www, emailAddress = admin@www.ystacks.com
error 23 at 0 depth lookup:certificate revoked
As you can see, the certificate revoked
Create certificate with CRL in CSR
update server ext file with cdp section
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
crlDistributionPoints = @cdp
[cdp]
URI.0 = http://mydomain.com/foundataion-intermediate-root.crl
URI.1 = ldap://127.0.0.1:389/cn=intermediate-cas,dc=mydomain,dc=com
[alt_names]
IP.1 = 10.10.10.10
DNS.1 = www.fundation.ystacks.com
DNS.2 = www.fundation.local
$ openssl x509 -req -in entities/server.csr -CA certs/ca-chain-bundle.cert.pem -CAkey private/intermediate.cakey.pem -passin file:../mycapass.enc -out entities/server-with-crl.cert.pem -CAcreateserial -days 365 -sha256 -extfile entities/server_cert_ext.cnf
Signature ok
subject=/C=CN/ST=HeiLongJiang/L=Harbin/O=ystacks/CN=www/emailAddress=admin@www.ystacks.com
Getting CA Private Key
Verify generated certificate with CRL list
$ openssl x509 -in entities/server-with-crl.cert.pem -text -noout | grep -A 7 'CRL Distribution Points'
X509v3 CRL Distribution Points:
Full Name:
URI:http://mydomain.com/foundataion-intermediate-root.crl
Full Name:
URI:ldap://127.0.0.1:389/cn=intermediate-cas,dc=mydomain,dc=com
Upload CRL file to LDAP and HTTP server
- OpenLDAP server
# get base6e encoded intermediate ca crl content
$ cat intermediate-ca.crl | base64
MIIC+DCB4QIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAoMB1lzdGFja3MxEjAQBgNVBAsMCWZ1bmRhdGlvbjENMAsGA1UEAwwEa2V5czEqMCgGCSqGSIb3DQEJARYbZnVuZGF0aW9uLWFkbWluQHlzdGFja3MuY29tFw0yMjA1MDgwNDUzMzZaFw0yMjA2MDcwNDUzMzZaMBwwGgIJALYpQRyDakmtFw0yMjA1MDgwNDI1MzlaoA4wDDAKBgNVHRQEAwIBAzANBgkqhkiG9w0BAQUFAAOCAgEAiqYHgikecpvTWeOTIMnPQX17jJThkI5kWHTBBIXs37r1onBZHaJWpyOSBtxuuF4A5M7XQj8ECQ1xEPxKe/HOFpq4xUjWDKBGODkeotkv4igP/6wb82hr1PblDtj+o36LsYphPZG6Q2lC5X+aNa2C9uthPLu7d0mTACir4jMdmLCvjEnPKySFrE9I8tiGZTxySWZ0aj/QZuwdOnf9mFZuP9kI/T7rL9jwdOK2Y4+Fd8pYUpsY7xGzRRmsD9M9v6S3pjyPApOcwsTe1F67vzgWqv2n+6dc+cAkPVkAaJF5aTQtsmbDeZAgBUpnNEKKH02TLIIt8X21ElWRzCWnWCHicxxezHyg6/DROjyFswOBwhl448qxhdGrXiQoO4m5wh/OOCEoRb6OE7LTn66Gi+IbcRF6RVcBhALUWTVWP9F1D972NTY3bBnSHej7W8BO9YPFgjlMHcAA/1YtcrWqg6w4S2LxxF1LjYQBHpMifylDtItQW9a2YkLA4Mk603cNil8WbZ2ZQGfYNFJ3wGjYixO/N9KYw7gvrpign1T3vCCfP7NG6fa30esSB1Bew4HpNJnd/Mxxx/9g3GjwDxoXi2soIRgWiUcd6QmiffWwnu5yveYdgU+vqtTCjTk6EVWQJHDaVyzcoIfAK6th5LlRoOkMJpLOeDzrFQlIyjXtlqVZZnA=
# create ldif file for `cRLDistributionPoint` object class
$ cat intermediate_crl.ldif
dn: cn=intermediate-cas,dc=mydomain,dc=com
objectClass: top
objectClass: cRLDistributionPoint
cn: intermediate-cas
certificateRevocationList;binary::MIIC+DCB4QIBATANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAoMB1lzdGFja3MxEjAQBgNVBAsMCWZ1bmRhdGlvbjENMAsGA1UEAwwEa2V5czEqMCgGCSqGSIb3DQEJARYbZnVuZGF0aW9uLWFkbWluQHlzdGFja3MuY29tFw0yMjA1MDgwNDUzMzZaFw0yMjA2MDcwNDUzMzZaMBwwGgIJALYpQRyDakmtFw0yMjA1MDgwNDI1MzlaoA4wDDAKBgNVHRQEAwIBAzANBgkqhkiG9w0BAQUFAAOCAgEAiqYHgikecpvTWeOTIMnPQX17jJThkI5kWHTBBIXs37r1onBZHaJWpyOSBtxuuF4A5M7XQj8ECQ1xEPxKe/HOFpq4xUjWDKBGODkeotkv4igP/6wb82hr1PblDtj+o36LsYphPZG6Q2lC5X+aNa2C9uthPLu7d0mTACir4jMdmLCvjEnPKySFrE9I8tiGZTxySWZ0aj/QZuwdOnf9mFZuP9kI/T7rL9jwdOK2Y4+Fd8pYUpsY7xGzRRmsD9M9v6S3pjyPApOcwsTe1F67vzgWqv2n+6dc+cAkPVkAaJF5aTQtsmbDeZAgBUpnNEKKH02TLIIt8X21ElWRzCWnWCHicxxezHyg6/DROjyFswOBwhl448qxhdGrXiQoO4m5wh/OOCEoRb6OE7LTn66Gi+IbcRF6RVcBhALUWTVWP9F1D972NTY3bBnSHej7W8BO9YPFgjlMHcAA/1YtcrWqg6w4S2LxxF1LjYQBHpMifylDtItQW9a2YkLA4Mk603cNil8WbZ2ZQGfYNFJ3wGjYixO/N9KYw7gvrpign1T3vCCfP7NG6fa30esSB1Bew4HpNJnd/Mxxx/9g3GjwDxoXi2soIRgWiUcd6QmiffWwnu5yveYdgU+vqtTCjTk6EVWQJHDaVyzcoIfAK6th5LlRoOkMJpLOeDzrFQlIyjXtlqVZZnA=
$ ldapadd -D 'cn=admin,dc=mydomain,dc=com' -f ./intermediate_crl.ldif -W -x
Enter LDAP Password:
adding new entry "cn=intermediate-cas,dc=mydomain,dc=com"
Query OpenLDAP stored CRL data
$ ldapsearch -D 'cn=admin,dc=mydomain,dc=com' -b 'dc=mydomain,dc=com' -t -W -x "(objectClass=cRLDistributionPoint)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=mydomain,dc=com> with scope subtree
# filter: (objectClass=cRLDistributionPoint)
# requesting: ALL
#
# intermediate-cas, mydomain.com
dn: cn=intermediate-cas,dc=mydomain,dc=com
objectClass: top
objectClass: cRLDistributionPoint
cn: intermediate-cas
certificateRevocationList;binary:< file:///var/folders/f_/7rtcfwb55d194n856zj
nkmtw0000gp/T//ldapsearch-certificateRevocationList;binary-9MIvUp
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
FAQ:
How do I view certificate revocation list?
To do this, open the Chrome DevTools, navigate to the security tab and click on View certificate. From here, click on Details, and scroll down to where you’ll see “CRL Distribution Points”.
How do I revoke a certificate openssl? cnf file of your authority or -outdir option in the scripts). The openssl ca -config openssl. cnf -gencrl -crldays 30 -out crl. pem will be the actual step to revoke the certificate, producing a signed list using the private key of the authority.