How to generate a certificate revocation list (CRL) and revoke certificates

This tutorial is part of a series on being your own certificate authority, which was written for Fedora but should also work on CentOS/RHEL or any other Linux distribution.

In the first tutorial of the series, we explored how to act as a certificate authority. We also learnt how to create and sign SSL certificates.

However, an important part of being a CA is certificate revocation. Sometimes we want to revoke access for a particular client, or the certificate may even have been compromised and should no longer be trusted.

A certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted.

Wikipedia

Create the CRL

Before we can generate a CRL, we must create a crlnumber file, which openssl requires to keep track of the next CRL number to use:

echo 1000 > /etc/pki/CA/crlnumber

By default, the openssl configuration file (/etc/pki/tls/openssl.cnf) uses V1 CRL lists. Uncomment the crl_extensions = crl_ext line to enable V2 CRL lists. This is probably a good idea unless you have a strong reason to stick with V1 CRL lists (eg, using an Internet browser from the Jurassic period). Now you can generate the CRL.

NB: Note that you can avoid having to specify -keyfile and -cert options by changing the private_key and certificate options in the [ CA_default ] section of your openssl configuration.

cd /etc/pki/CA
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
    -gencrl -out crl/crl.pem

You can view the CRL with this command:

openssl crl -in /etc/pki/CA/crl/crl.pem -text

There are several other CRL options that can be used when generating your CRL list. See the CRL OPTIONS section in the ca manual page (man ca) for more information.

Create an example certificate

Currently, the CRL isn’t particularly interesting as we haven’t created or revoked any certificates yet. Let’s say that Alice is running an Apache web server and has a private folder of really cute kitten pictures. She wants to grant her friend Bob access to this collection.

Alice first needs to create and sign a cryptographic pair for Bob. This is a user certificate, so Alice is using the usr_cert extension when signing the CSR.

openssl genrsa -out /etc/pki/CA/private/bob@kittens.key.pem 4096
chmod 400 /etc/pki/CA/private/bob@kittens.key.pem
openssl req -new \
    -key /etc/pki/CA/private/bob@kittens.key.pem \
    -out /etc/pki/CA/certs/bob@kittens.csr.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:London
Locality Name (eg, city) [Default City]:London
Organization Name (eg, company) [Default Company Ltd]:Alice CA
Organizational Unit Name (eg, section) []:Client Certificate
Common Name (eg, your name or your server's hostname) []:bob@kittens
Email Address []:bob@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

cd /etc/pki/CA
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
    -extensions usr_cert -notext -md sha1 \
    -in certs/bob@kittens.csr.pem -out certs/bob@kittens.cert.pem
chmod 444 certs/bob@kittens.cert.pem

If we look in the index.txt database, there should now be an entry for Bob’s certificate:

cat /etc/pki/CA/index.txt

V 140825183639Z   1000  unknown /C=GB/ST=London/O=Alice CA/OU=Client Certificate/CN=bob@kittens/emailAddress=bob@example.com

Revoke the example certificate

Turns out Bob wasn’t behaving. He’s been pretending that the pictures are his own and has been selling them for profit. The cheek! Let’s revoke his access immediately.

openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
    -revoke certs/bob@kittens.cert.pem

If you take another look at the index.txt database, you’ll see that the V at the start of the line has changed to an R, which means the certificate has been revoked.

cat /etc/pki/CA/index.txt

R 140825183639Z 130825184208Z 1000  unknown /C=GB/ST=London/O=Alice CA/OU=Client Certificate/CN=bob@kittens/emailAddress=bob@example.com

Note that newly created certificates are also placed in the /etc/pki/CA/newcerts directory, with a filename that matches the serial number in index.txt. For example, Bob’s certificate is also located at /etc/pki/CA/newcerts/1000.pem. When revoking certificates you can point openssl at certificates in this directory, which achieves the same thing as revoking certificates in /etc/pki/CA/certs.

Update the CRL

Now that Bob’s certificate has been revoked, we need to re-generate the CRL:

cd /etc/pki/CA
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
    -gencrl -out crl/crl.pem

Let’s take another look at the CRL:

openssl crl -in /etc/pki/CA/crl/crl.pem -text

Certificate Revocation List (CRL):
...
Revoked Certificates:
    Serial Number: 1000
...

Using the CRL

It’s no use just having the CRL sitting in your /etc/pki/CA/crl directory. Applications need to know about your CRL.

In this particular situation, Alice can add the SSLCARevocationPath directive to her httpd.conf. This directive allows Alice to specify a directory containing her CRL files. When Bob tries to access her kitten pictures again, his client certificate has been revoked so Apache will deny him access. Thank goodness!

Similarly, OpenVPN has a crl-verify directive. This can be used to prevent clients with revoked certificates from being able to connect to the VPN.

CRL distribution point

An alternative approach to let applications know about revoked certificates is to use a CRL distribution point. Since the CRL is just a text file, it can easily be distributed by any web server. For example, Alice may keep her CRL at http://example.com/crl.pem.

Add the following to the [ usr_cert ] section of your /etc/pki/tls/openssl.cnf file:

crlDistributionPoints = URI:http://example.com/crl.pem

Now when you sign a CSR using the usr_cert extension the CRL distribution point will be automatically added. You can check if a certificate has a CRL distribution point set by analysing the certificate:

openssl x509 -in www.example.com.cert.pem -noout -text

Certificate:
        ...
        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://example.com/crl.pem
        ...

Applications that support CRL distribution points will periodically download the CRL from the specified URL to check whether any certificates have been revoked.


Comments

26 responses to “How to generate a certificate revocation list (CRL) and revoke certificates”

  1. Excellent goods from you, man. I have understand your stuff previous to and you are just too excellent.

    I actually like what you’ve acquired here, really like what you’re
    stating and the way in which you say it. You make it enjoyable and you still
    take care of to keep it wise. I cant wait to read much more from you.
    This is actually a great website.

  2. Our new New Balance White Black Mens 574 Trianers Avatar
    Our new New Balance White Black Mens 574 Trianers

    Appreciating the time and effort you put into your site and detailed information you offer. It’s great to come across a blog every once in a while that isn’t the same unwanted rehashed material. Great read! I’ve saved your site and I’m including your RSS feeds to my Google account.

  3. Angebote New Balance Weiß Running Avatar
    Angebote New Balance Weiß Running

    Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point. You obviously know what youre talking about, why waste your intelligence on just posting videos to your site when you could be giving us something enlightening to read?

  4. au meilleur prix discount New Balance Running Noir Femmes 990 Avatar
    au meilleur prix discount New Balance Running Noir Femmes 990

    I do not know if it’s just me or if everybody else experiencing issues with your blog. It appears as though some of the text on your content are running off the screen. Can somebody else please comment and let me know if this is happening to them as well? This could be a issue with my browser because I’ve had this happen previously. Cheers

  5. calidad superior Adidas Adicolor Entrenamiento Amarillo Negro Hombres Avatar
    calidad superior Adidas Adicolor Entrenamiento Amarillo Negro Hombres

    Hi there! This is kind of off topic but I need some help from an established blog. Is it difficult to set up your own blog? I’m not very techincal but I can figure things out pretty quick. I’m thinking about making my own but I’m not sure where to begin. Do you have any points or suggestions? With thanks

  6. Köper Nike Herr Running Vit Free Avatar
    Köper Nike Herr Running Vit Free

    Good day! This is my 1st comment here so I just wanted to give a quick shout out and tell you I really enjoy reading your articles. Can you recommend any other blogs/websites/forums that go over the same topics? Many thanks!

  7. Moins cher Training Avatar
    Moins cher Training

    This is a terrific blog, could you be involved in doing an interview about how you created it? If so e-mail me!

  8. La bonne qualité des Training Stan Smith Avatar
    La bonne qualité des Training Stan Smith

    Hello! I could have sworn I’ve been to this blog before but after checking through some of the post I realized it’s new to me. Anyhow, I’m definitely happy I found it and I’ll be book-marking and checking back frequently!

  9. Más Vendido Adidas Predator Hombres Avatar
    Más Vendido Adidas Predator Hombres

    Hey there superb website! Does running a blog similar to this take a lot of work? I’ve very little understanding of computer programming however I was hoping to start my own blog in the near future. Anyways, should you have any ideas or techniques for new blog owners please share. I know this is off topic however I just had to ask. Many thanks!

  10. Prix concurrentiel du 1260 Argent Avatar
    Prix concurrentiel du 1260 Argent

    Hey just wanted to give you a brief heads up and let you know a few of the images aren’t loading properly. I’m not sure why but I think its a linking issue. I’ve tried it in two different web browsers and both show the same outcome.

  11. Haut New Balance Rouge Avatar
    Haut New Balance Rouge

    Hi there! Someone in my Facebook group shared this website with us so I came to give it a look. I’m definitely loving the information. I’m book-marking and will be tweeting this to my followers! Superb blog and fantastic style and design.

  12. Vente en ligne New Balance Femmes Bleu Trainers 870 Avatar
    Vente en ligne New Balance Femmes Bleu Trainers 870

    I just added this web site to my feed reader, excellent stuff. Cannot get enough!

  13. Réduits Adidas Femmes Avatar
    Réduits Adidas Femmes

    Please let me know if you’re looking for a article author for your site. You have some really great articles and I feel I would be a good asset. If you ever want to take some of the load off, I’d really like to write some articles for your blog in exchange for a link back to mine. Please blast me an email if interested. Many thanks!

  14. Ne manquez pas Adidas Stan Smith Oxford bleu Running Avatar
    Ne manquez pas Adidas Stan Smith Oxford bleu Running

    Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point. You clearly know what youre talking about, why waste your intelligence on just posting videos to your site when you could be giving us something informative to read?

  15. Economical New Balance Grey Trianers 1400 Mens Avatar
    Economical New Balance Grey Trianers 1400 Mens

    Hmm it appears like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to everything. Do you have any tips for newbie blog writers? I’d certainly appreciate it.

  16. Descuento súper Mujeres Adidas ZX 700 Polvo Azul Entrenamiento Avatar
    Descuento súper Mujeres Adidas ZX 700 Polvo Azul Entrenamiento

    I absolutely love your blog and find nearly all of your post’s to be exactly what I’m looking for. Do you offer guest writers to write content to suit your needs? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome website!

  17. Cult-classique New Balance Noir Avatar
    Cult-classique New Balance Noir

    I’m not that much of a internet reader to be honest but your blogs really nice, keep it up! I’ll go ahead and bookmark your site to come back down the road. All the best

  18. Durable New Balance Marine Trainers Hommes 574 Avatar
    Durable New Balance Marine Trainers Hommes 574

    Hey! This is my first comment here so I just wanted to give a quick shout out and tell you I genuinely enjoy reading your articles. Can you recommend any other blogs/websites/forums that go over the same topics? Thanks for your time!

  19. Top qualité ZX 750 Rouge Orange RoyalBleu Hommes Avatar
    Top qualité ZX 750 Rouge Orange RoyalBleu Hommes

    Hello there I am so happy I found your web site, I really found you by error, while I was browsing on Askjeeve for something else, Nonetheless I am here now and would just like to say kudos for a marvelous post and a all round entertaining blog (I also love the theme/design), I don? have time to go through it all at the moment but I have book-marked it and also included your RSS feeds, so when I have time I will be back to read much more, Please do keep up the superb job.

  20. Top vente Adidas Hommes Training ZX 700 Gris Blanc Rose Avatar
    Top vente Adidas Hommes Training ZX 700 Gris Blanc Rose

    Greetings! I know this is kind of off topic but I was wondering if you knew where I could locate a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having difficulty finding one? Thanks a lot!

  21. Migliore qualità Toms Classics Rosa Donna Avatar
    Migliore qualità Toms Classics Rosa Donna

    Hey there would you mind letting me know which hosting company you’re using? I’ve loaded your blog in 3 different internet browsers and I must say this blog loads a lot faster then most. Can you recommend a good hosting provider at a reasonable price? Thanks a lot, I appreciate it!

  22. Sélectionnez respirant Air Jordan 1 Runnings Avatar
    Sélectionnez respirant Air Jordan 1 Runnings

    Hey there, I think your site might be having browser compatibility issues. When I look at your website in Opera, it looks fine but when opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up! Other then that, great blog!

  23. Bonne conçu New Balance Argent Blanc Femmes Trainers 996 Avatar
    Bonne conçu New Balance Argent Blanc Femmes Trainers 996

    Hi there just wanted to give you a quick heads up. The text in your article seem to be running off the screen in Firefox. I’m not sure if this is a format issue or something to do with browser compatibility but I figured I’d post to let you know. The design and style look great though! Hope you get the problem solved soon. Many thanks

  24. de moda Avatar
    de moda

    I just added this webpage to my rss reader, great stuff. Can’t get enough!

  25. Discounted premium Adidas ZX 700 Womens Training Green Grey Avatar
    Discounted premium Adidas ZX 700 Womens Training Green Grey

    Hey there I am so delighted I found your blog, I really found you by accident, while I was looking on Aol for something else, Regardless I am here now and would just like to say many thanks for a tremendous post and a all round entertaining blog (I also love the theme/design), I don? have time to read through it all at the moment but I have book-marked it and also added in your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the great job.

  26. Pour obtenir d\'origine New Balance Jaune Femmes Trainers Avatar
    Pour obtenir d\’origine New Balance Jaune Femmes Trainers

    I don’t know if it’s just me or if everyone else encountering issues with your website. It appears as though some of the written text in your content are running off the screen. Can someone else please comment and let me know if this is happening to them as well? This might be a issue with my web browser because I’ve had this happen before. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *