[PLUG] CA Certificates and crls

Michael Leone on 18 Jun 2019 12:46:11 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] CA Certificates and crls

From: Michael Leone <turgon@mike-leone.com>
To: PLUG <plug@lists.phillylinux.org>
Subject: [PLUG] CA Certificates and crls
Date: Tue, 18 Jun 2019 15:45:40 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mike-leone.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=4mIDK+iDKPxMWOswbnYx8PELfXpMuUl3kRIVEIX8SZU=; b=eTvU2ISQzvxDqsmrZjIwtAkIVU1EWZoekx6t8HrMJWFZFPnMAgbuVTxL8ukn3c42l0 4QL9oNMEUGVIAP64Nmnx7w8sVmbm+ZBB/8SuPyuaBGR/LeREt3q9A5bE11EtzqF6Cg/n jBFgVGMmUJeuVOa0MLVLwZk2/r5AWZOAKcr/s=
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

So I hope somebody here can help me out. so I don't have to join
another list for just a couple questions.

I am creating my own Certificate Authority, using Debian 9.9 (been so
long since I used Debian, but it all comes back ...)

Anyway, I can create the private key, and the root CA, and all seems
good. It's the crl that I'm having an issue with.

This CA is intended to be an offline root CA, and there will be a
sub-CA (on Windows) that actually issues the certs to the web servers
and devices. That's Best Practice, I am told.

Now, I'm told that the offline root CA *must* have a crl (certificate
revocation list) for Windows to fully verify the length of the
certificate chain, and this crl file will be held in a CDP (CRL
Distribution Point) which effectively is just a website holding crl
files.

Creating a crl file for the CA is easy enough - openssl ca -gencrl -
but it's the example openssl.cnf parts that are confusing me.

Most have something like this:

[ server_cert ]
crlDistributionPoints = @crl_info

[crl_info]
URI.0 = http://crl.grilledcheese.us/whomovedmycheese.crl

Now, the part confusing me is that the URI.0 seems to specify a single
crl file, for a specific cert. I would have thought it to just be the
URL of where the crl file will live, and not be hardcoded to a single
filename.

Why isn't URI.0 just the webserver name http://crl.grilledcheese.us/?
Why does it have the name of the crl generated for the root ca cert,
in this example?
https://devcentral.f5.com/s/articles/building-an-openssl-certificate-authority-configuring-crl-and-ocsp-27897

What concept am I missing here?

Is it that the URI.0 is the name of the single file full of revoked
certificates, along with the website URL? And that, despite the plural
in the "crlDistributionPoints" variable, it points to a single file in
a single webserver?

Michael J. Leone, <mailto:turgon@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Just backpacking through the Uncanny Valley ....
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] CA Certificates and crls
  - From: brent timothy saner <brent.saner@gmail.com>

Prev by Date: [PLUG] free stuff (laser printer paper, laptop, desktop)
Next by Date: Re: [PLUG] CA Certificates and crls
Previous by thread: [PLUG] free stuff (laser printer paper, laptop, desktop)
Next by thread: Re: [PLUG] CA Certificates and crls
Index(es):
- Date
- Thread