brent timothy saner on 18 Jun 2019 12:54:27 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] CA Certificates and crls


On 6/18/19 3:45 PM, Michael Leone wrote:
> 
> Why isn't URI.0 just the webserver name http://crl.grilledcheese.us/?
> Why does it have the name of the crl generated for the root ca cert,
> in this example?
> https://devcentral.f5.com/s/articles/building-an-openssl-certificate-authority-configuring-crl-and-ocsp-27897
> 
> What concept am I missing here?
> 
> Is it that the URI.0 is the name of the single file full of revoked
> certificates, along with the website URL? And that, despite the plural
> in the "crlDistributionPoints" variable, it points to a single file in
> a single webserver?
> 
> 

it has to be a full URI (hence the tag - URI - instead of "domain" or
"server" or the like) because it has to know the specific path to the
CDP for the certificate. the CDP is embedded into the certificate so the
remote validator knows where to verify against it. (there's also a
method for distributing CRLs and installing them locally on systems, and
thus allowing you to use a CRL issuer *name* instead, but that's lame.)

you can have multiple CRLs for one certificate, hence the indexed
directive (URI.0, URI.1, etc.).

https://tools.ietf.org/html/rfc5280
https://tools.ietf.org/html/rfc5280#section-4.2.1.13

Attachment: signature.asc
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug