Michael Leone on 18 Jun 2019 12:46:11 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] CA Certificates and crls

So I hope somebody here can help me out. so I don't have to join
another list for just a couple questions.

I am creating my own Certificate Authority, using Debian 9.9 (been so
long since I used Debian, but it all comes back ...)

Anyway, I can create the private key, and the root CA, and all seems
good. It's the crl that I'm having an issue with.

This CA is intended to be an offline root CA, and there will be a
sub-CA (on Windows) that actually issues the certs to the web servers
and devices. That's Best Practice, I am told.

Now, I'm told that the offline root CA *must* have a crl (certificate
revocation list) for Windows to fully verify the length of the
certificate chain, and this crl file will be held in a CDP (CRL
Distribution Point) which effectively is just a website holding crl

Creating a crl file for the CA is easy enough - openssl ca -gencrl -
but it's the example openssl.cnf parts that are confusing me.

Most have something like this:

[ server_cert ]
crlDistributionPoints = @crl_info

URI.0 = http://crl.grilledcheese.us/whomovedmycheese.crl

Now, the part confusing me is that the URI.0 seems to specify a single
crl file, for a specific cert. I would have thought it to just be the
URL of where the crl file will live, and not be hardcoded to a single

Why isn't URI.0 just the webserver name http://crl.grilledcheese.us/?
Why does it have the name of the crl generated for the root ca cert,
in this example?

What concept am I missing here?

Is it that the URI.0 is the name of the single file full of revoked
certificates, along with the website URL? And that, despite the plural
in the "crlDistributionPoints" variable, it points to a single file in
a single webserver?


Michael J. Leone, <mailto:turgon@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Just backpacking through the Uncanny Valley ....
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug