On Tue, Nov 08, 2005, david kine wrote: > In the book "Network Security with OpenSSL" on pages > 124-125 is a list of OpenSSL commands to create a root > CA, and a server CA signed with the root CA. > > My question is, how would I use the openssl CA command > to revoke the server CA certificate by the root CA, > and generate a CRL? > > I have tried "openssl ca -revoke ....." and "openssl > ca -crl ......" without success. > > ---- > > Here are the commands to create the root CA: > > 1. openssl req -newkey rsa:1024 -sha1 -keyout > rootkey.pem -out rootreq.pem > > 2. openssl x509 -req -in rootreq.pem -sha1 > -extensions v3_ca -signkey rootkey.pem -out > rootcert.pem > > 3. cat rootcert.pem rootkey.pem > root.pem > > And to create the server CA signed by the root CA: > > 4. openssl req -newkey rsa:1024 -sha1 -keyout > serverCAkey.pem -out serverCAreq.pem > > 5. openssl x509 -req -in serverCAreq.pem -sha1 > -extensions v3_ca -CA root.pem -CAkey root.pem > -CAcreateserial -out serverCAcert.pem > > 6. cat serverCAcert.pem serverCAkey.pem rootcert.pem > > serverCA.pem >
The 'ca -gencrl' option will only directly work on a CA that is generated by the 'ca' command. Some guides still tell you to create certificates manually using the 'x509' command. If you can instead use the CA.pl script to generate the certificates then the revoke and gencrl options should work. Alternatively if you need to use the existing certificates you can create the necessary structure with CA.pl -newca and give it the root CA certificate file when prompted. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
