This tutorial is part of a series on being your own certificate authority, which was written for Fedora but should also work on CentOS/RHEL or any other Linux distribution.
In the first tutorial of the series, we explored how to act as a certificate authority. We also learnt how to create and sign SSL certificates.
However, an important part of being a CA is certificate revocation. Sometimes we want to revoke access for a particular client, or the certificate may even have been compromised and should no longer be trusted.
A certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted.
Create the CRL
Before we can generate a CRL, we must create a crlnumber file, which openssl requires to keep track of the next CRL number to use:
echo 1000 > /etc/pki/CA/crlnumber
By default, the openssl configuration file (/etc/pki/tls/openssl.cnf) uses V1 CRL lists. Uncomment the crl_extensions = crl_ext line to enable V2 CRL lists. This is probably a good idea unless you have a strong reason to stick with V1 CRL lists (eg, using an Internet browser from the Jurassic period). Now you can generate the CRL.
NB: Note that you can avoid having to specify -keyfile and -cert options by changing the private_key and certificate options in the [ CA_default ] section of your openssl configuration.
cd /etc/pki/CA
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
-gencrl -out crl/crl.pem
You can view the CRL with this command:
openssl crl -in /etc/pki/CA/crl/crl.pem -text
There are several other CRL options that can be used when generating your CRL list. See the CRL OPTIONS section in the ca manual page (man ca) for more information.
Create an example certificate
Currently, the CRL isn’t particularly interesting as we haven’t created or revoked any certificates yet. Let’s say that Alice is running an Apache web server and has a private folder of really cute kitten pictures. She wants to grant her friend Bob access to this collection.
Alice first needs to create and sign a cryptographic pair for Bob. This is a user certificate, so Alice is using the usr_cert extension when signing the CSR.
openssl genrsa -out /etc/pki/CA/private/bob@kittens.key.pem 4096 chmod 400 /etc/pki/CA/private/bob@kittens.key.pem openssl req -new \ -key /etc/pki/CA/private/bob@kittens.key.pem \ -out /etc/pki/CA/certs/bob@kittens.csr.pem You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [XX]:GB State or Province Name (full name) []:London Locality Name (eg, city) [Default City]:London Organization Name (eg, company) [Default Company Ltd]:Alice CA Organizational Unit Name (eg, section) []:Client Certificate Common Name (eg, your name or your server's hostname) []:bob@kittens Email Address []:bob@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: cd /etc/pki/CA openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \ -extensions usr_cert -notext -md sha1 \ -in certs/bob@kittens.csr.pem -out certs/bob@kittens.cert.pem chmod 444 certs/bob@kittens.cert.pem
If we look in the index.txt database, there should now be an entry for Bob’s certificate:
cat /etc/pki/CA/index.txt
V 140825183639Z 1000 unknown /C=GB/ST=London/O=Alice CA/OU=Client Certificate/CN=bob@kittens/emailAddress=bob@example.com
Revoke the example certificate
Turns out Bob wasn’t behaving. He’s been pretending that the pictures are his own and has been selling them for profit. The cheek! Let’s revoke his access immediately.
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
-revoke certs/bob@kittens.cert.pem
If you take another look at the index.txt database, you’ll see that the V at the start of the line has changed to an R, which means the certificate has been revoked.
cat /etc/pki/CA/index.txt
R 140825183639Z 130825184208Z 1000 unknown /C=GB/ST=London/O=Alice CA/OU=Client Certificate/CN=bob@kittens/emailAddress=bob@example.com
Note that newly created certificates are also placed in the /etc/pki/CA/newcerts directory, with a filename that matches the serial number in index.txt. For example, Bob’s certificate is also located at /etc/pki/CA/newcerts/1000.pem. When revoking certificates you can point openssl at certificates in this directory, which achieves the same thing as revoking certificates in /etc/pki/CA/certs.
Update the CRL
Now that Bob’s certificate has been revoked, we need to re-generate the CRL:
cd /etc/pki/CA
openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem \
-gencrl -out crl/crl.pem
Let’s take another look at the CRL:
openssl crl -in /etc/pki/CA/crl/crl.pem -text Certificate Revocation List (CRL): ... Revoked Certificates: Serial Number: 1000 ...
Using the CRL
It’s no use just having the CRL sitting in your /etc/pki/CA/crl directory. Applications need to know about your CRL.
In this particular situation, Alice can add the SSLCARevocationPath directive to her httpd.conf. This directive allows Alice to specify a directory containing her CRL files. When Bob tries to access her kitten pictures again, his client certificate has been revoked so Apache will deny him access. Thank goodness!
Similarly, OpenVPN has a crl-verify directive. This can be used to prevent clients with revoked certificates from being able to connect to the VPN.
CRL distribution point
An alternative approach to let applications know about revoked certificates is to use a CRL distribution point. Since the CRL is just a text file, it can easily be distributed by any web server. For example, Alice may keep her CRL at http://example.com/crl.pem.
Add the following to the [ usr_cert ] section of your /etc/pki/tls/openssl.cnf file:
crlDistributionPoints = URI:http://example.com/crl.pem
Now when you sign a CSR using the usr_cert extension the CRL distribution point will be automatically added. You can check if a certificate has a CRL distribution point set by analysing the certificate:
openssl x509 -in www.example.com.cert.pem -noout -text Certificate: ... X509v3 CRL Distribution Points: Full Name: URI:http://example.com/crl.pem ...
Applications that support CRL distribution points will periodically download the CRL from the specified URL to check whether any certificates have been revoked.
Excellent goods from you, man. I have understand your stuff previous to and you are just too excellent.
I actually like what you’ve acquired here, really like what you’re
stating and the way in which you say it. You make it enjoyable and you still
take care of to keep it wise. I cant wait to read much more from you.
This is actually a great website.
Comment by Marc — 2014/09/11 @ 23:23
Appreciating the time and effort you put into your site and detailed information you offer. It’s great to come across a blog every once in a while that isn’t the same unwanted rehashed material. Great read! I’ve saved your site and I’m including your RSS feeds to my Google account.
Comment by Our new New Balance White Black Mens 574 Trianers — 2015/08/07 @ 04:01
Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point. You obviously know what youre talking about, why waste your intelligence on just posting videos to your site when you could be giving us something enlightening to read?
Comment by Angebote New Balance Weiß Running — 2015/08/07 @ 11:37
I do not know if it’s just me or if everybody else experiencing issues with your blog. It appears as though some of the text on your content are running off the screen. Can somebody else please comment and let me know if this is happening to them as well? This could be a issue with my browser because I’ve had this happen previously. Cheers
Comment by au meilleur prix discount New Balance Running Noir Femmes 990 — 2015/08/08 @ 20:11
Hi there! This is kind of off topic but I need some help from an established blog. Is it difficult to set up your own blog? I’m not very techincal but I can figure things out pretty quick. I’m thinking about making my own but I’m not sure where to begin. Do you have any points or suggestions? With thanks
Comment by calidad superior Adidas Adicolor Entrenamiento Amarillo Negro Hombres — 2015/08/08 @ 22:26
Good day! This is my 1st comment here so I just wanted to give a quick shout out and tell you I really enjoy reading your articles. Can you recommend any other blogs/websites/forums that go over the same topics? Many thanks!
Comment by Köper Nike Herr Running Vit Free — 2015/08/09 @ 04:33
This is a terrific blog, could you be involved in doing an interview about how you created it? If so e-mail me!
Comment by Moins cher Training — 2015/08/10 @ 06:42
Hello! I could have sworn I’ve been to this blog before but after checking through some of the post I realized it’s new to me. Anyhow, I’m definitely happy I found it and I’ll be book-marking and checking back frequently!
Comment by La bonne qualité des Training Stan Smith — 2015/08/10 @ 10:02
Hey there superb website! Does running a blog similar to this take a lot of work? I’ve very little understanding of computer programming however I was hoping to start my own blog in the near future. Anyways, should you have any ideas or techniques for new blog owners please share. I know this is off topic however I just had to ask. Many thanks!
Comment by Más Vendido Adidas Predator Hombres — 2015/08/11 @ 05:45
Hey just wanted to give you a brief heads up and let you know a few of the images aren’t loading properly. I’m not sure why but I think its a linking issue. I’ve tried it in two different web browsers and both show the same outcome.
Comment by Prix concurrentiel du 1260 Argent — 2015/08/13 @ 00:39
Hi there! Someone in my Facebook group shared this website with us so I came to give it a look. I’m definitely loving the information. I’m book-marking and will be tweeting this to my followers! Superb blog and fantastic style and design.
Comment by Haut New Balance Rouge — 2015/08/13 @ 03:50
I just added this web site to my feed reader, excellent stuff. Cannot get enough!
Comment by Vente en ligne New Balance Femmes Bleu Trainers 870 — 2015/08/13 @ 08:16
Please let me know if you’re looking for a article author for your site. You have some really great articles and I feel I would be a good asset. If you ever want to take some of the load off, I’d really like to write some articles for your blog in exchange for a link back to mine. Please blast me an email if interested. Many thanks!
Comment by Réduits Adidas Femmes — 2015/08/13 @ 08:45
Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point. You clearly know what youre talking about, why waste your intelligence on just posting videos to your site when you could be giving us something informative to read?
Comment by Ne manquez pas Adidas Stan Smith Oxford bleu Running — 2015/08/13 @ 21:01
Hmm it appears like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to everything. Do you have any tips for newbie blog writers? I’d certainly appreciate it.
Comment by Economical New Balance Grey Trianers 1400 Mens — 2015/08/14 @ 04:04
I absolutely love your blog and find nearly all of your post’s to be exactly what I’m looking for. Do you offer guest writers to write content to suit your needs? I wouldn’t mind producing a post or elaborating on some of the subjects you write concerning here. Again, awesome website!
Comment by Descuento súper Mujeres Adidas ZX 700 Polvo Azul Entrenamiento — 2015/08/14 @ 06:56
I’m not that much of a internet reader to be honest but your blogs really nice, keep it up! I’ll go ahead and bookmark your site to come back down the road. All the best
Comment by Cult-classique New Balance Noir — 2015/08/14 @ 21:25
Hey! This is my first comment here so I just wanted to give a quick shout out and tell you I genuinely enjoy reading your articles. Can you recommend any other blogs/websites/forums that go over the same topics? Thanks for your time!
Comment by Durable New Balance Marine Trainers Hommes 574 — 2015/08/14 @ 21:53
Hello there I am so happy I found your web site, I really found you by error, while I was browsing on Askjeeve for something else, Nonetheless I am here now and would just like to say kudos for a marvelous post and a all round entertaining blog (I also love the theme/design), I don? have time to go through it all at the moment but I have book-marked it and also included your RSS feeds, so when I have time I will be back to read much more, Please do keep up the superb job.
Comment by Top qualité ZX 750 Rouge Orange RoyalBleu Hommes — 2015/08/15 @ 01:26
Greetings! I know this is kind of off topic but I was wondering if you knew where I could locate a captcha plugin for my comment form? I’m using the same blog platform as yours and I’m having difficulty finding one? Thanks a lot!
Comment by Top vente Adidas Hommes Training ZX 700 Gris Blanc Rose — 2015/08/15 @ 01:28
Hey there would you mind letting me know which hosting company you’re using? I’ve loaded your blog in 3 different internet browsers and I must say this blog loads a lot faster then most. Can you recommend a good hosting provider at a reasonable price? Thanks a lot, I appreciate it!
Comment by Migliore qualità Toms Classics Rosa Donna — 2015/08/15 @ 21:05
Hey there, I think your site might be having browser compatibility issues. When I look at your website in Opera, it looks fine but when opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up! Other then that, great blog!
Comment by Sélectionnez respirant Air Jordan 1 Runnings — 2015/08/15 @ 22:48
Hi there just wanted to give you a quick heads up. The text in your article seem to be running off the screen in Firefox. I’m not sure if this is a format issue or something to do with browser compatibility but I figured I’d post to let you know. The design and style look great though! Hope you get the problem solved soon. Many thanks
Comment by Bonne conçu New Balance Argent Blanc Femmes Trainers 996 — 2015/08/16 @ 01:59
I just added this webpage to my rss reader, great stuff. Can’t get enough!
Comment by de moda — 2015/08/16 @ 02:27
Hey there I am so delighted I found your blog, I really found you by accident, while I was looking on Aol for something else, Regardless I am here now and would just like to say many thanks for a tremendous post and a all round entertaining blog (I also love the theme/design), I don? have time to read through it all at the moment but I have book-marked it and also added in your RSS feeds, so when I have time I will be back to read a lot more, Please do keep up the great job.
Comment by Discounted premium Adidas ZX 700 Womens Training Green Grey — 2015/08/16 @ 02:46
I don’t know if it’s just me or if everyone else encountering issues with your website. It appears as though some of the written text in your content are running off the screen. Can someone else please comment and let me know if this is happening to them as well? This might be a issue with my web browser because I’ve had this happen before. Thanks
Comment by Pour obtenir d\'origine New Balance Jaune Femmes Trainers — 2015/08/16 @ 04:15
Hi,
Thanks for your comment.
I´m usimg http://anx.se/
/Mats
Comment by Mathz — 2015/08/16 @ 20:06
whoah this blog is wonderful i like studying your posts.
Stay up the good work! You realize, lots of persons are searching around for this information, you can aid them greatly.
Comment by event cleaning Painswick — 2018/10/23 @ 00:34
Either this is outdated or just badly written but this didnt get me anywhere. A lot of info is missing and there are a lot of minor but necessary things this expects you to know.
Not very useful unless you have a clear picture of what you need to do
Comment by Matti — 2022/04/21 @ 13:42