Dr Stephen Henson wrote:
>
> OpenSSL can still produce V1 CRLs. Even if you delete the whole crl_ext
> section it will still generate a V2 CRL. What you need to do is comment
> out the line:
> crl_extensions = crl_ext
> e.g. put a # at the start. When it sees that no crl extension section is
> named it wont set the version to V2. A similar thing is done with
> certificates. This is so you can get a V2 CRL even if you don't want any
> extensions added.
>
> Steve.
> --
It works, thanks!
As some people could be interested to this topic I summarize the steps I
followed to get the job done.
1. Get a working CA
-------------------
Install openssl, and create a your own CA using the CA.sh script.
If you want to issue certificates via web to browsers, install a
suitable web server like apache mod-ssl, and create the web pages; the
article by Frederick J. Hirsch at
http://www.camb.opengroup.org/RI/www/prism/wwwj/index.html is a good
point to start from. Then issue certificates to browsers.
2. Revoke a certificate
-----------------------
To revoke a certificate you must put the R flag and the revocation
datatime into the line corresponding to the certificate in the index
file (.../demoCA/index.txt). The way to accomplish the task has been
widely debated in this mailing list. Anyway I will supply a shell script
similar to that I use:
#!/bin/sh
#
# -------------------- interface --------------------
# $1 : index file (.../demoCA/index.txt)
# $2 : serial number of the certificate to be revoked
#
PGMNAME=`basename ${0}`
CERTFILE=${1}
CERTID=${2}
TMPFILE=/tmp/tempfile.$$
awk -v CERTID=${CERTID} -v NOW=`date -u +"%y%m%d%H%M%SZ"` 'BEGIN {FS =
OFS = "\t"} \
{if ($4 == CERTID) {$1 = "R"; $3 = NOW}; print }' ${CERTFILE}
>${TMPFILE}
if [ "${?}" = 0 ]; then
echo "${PGMNAME}: certificate n° ${CERTID} successfully revoked"
mv -f ${TMPFILE} ${CERTFILE}
chmod 720 ${CERTFILE}
REVCODE=0
else
echo "${PGMNAME}: certificate n° ${CERTID} not found"
REVCODE=1
fi
3. Issue the related CRL
------------------------
You must issue a V1 CRL, as Netscape expects to find this format;
therefore comment the line crl_extensions in your configuration file
(e.g. /etc/ssleay.cnf):
# crl_extensions = crl_ext # Extensions to add to
CRLdefault_days
Then issue the command to generate the CRL, providing the pass phrase to
unlock the CA private key:
openssl ca -gencrl -config /etc/ssleay.cnf -out CurrCrl.PEM
and finally convert it into DER format:
openssl crl -inform PEM -in CurrCrl.PEM -outform DER -out Currcrl.crl
4. Provide a CGI to download the CRL
------------------------------------
The following CGI is written in PHP3. You can easily figure how to put
it in
Perl, or some other language.
<?
# download crl into browser (DER format)
$file_size = filesize(Currcrl.crl);
$fd = fopen( Currcrl.crl, "r" );
$CrlToBrowser = fread( $fd, $file_size );
Header("Content-Type: application/x-pkcs7-crl");
echo ("$CrlToBrowser");
fclose($fd);
?>
5. Download the CRL into Communicator
-------------------------------------
You can now download the CRL invoking the CGI. You will find the CRL
selecting "Security/Certificates-Signers" and "View/Edit CRLs".
Communicator actually marks as invalid the signatures got with a revoked
certificate.
--
Mario
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
