Michael Leone on 18 Jun 2019 16:16:09 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] CA Certificates and crls


Thanks. I can never decipher those RFCs.

So I'm right, and that URI should be the actual path to a single file, that contains the revocations of other certificates? The file name, as well as the server (or load balancer site) to get that file?

On Tue, Jun 18, 2019 at 3:54 PM brent timothy saner <brent.saner@gmail.com> wrote:
On 6/18/19 3:45 PM, Michael Leone wrote:
>
> Why isn't URI.0 just the webserver name http://crl.grilledcheese.us/?
> Why does it have the name of the crl generated for the root ca cert,
> in this example?
> https://devcentral.f5.com/s/articles/building-an-openssl-certificate-authority-configuring-crl-and-ocsp-27897
>
> What concept am I missing here?
>
> Is it that the URI.0 is the name of the single file full of revoked
> certificates, along with the website URL? And that, despite the plural
> in the "crlDistributionPoints" variable, it points to a single file in
> a single webserver?
>
>

it has to be a full URI (hence the tag - URI - instead of "domain" or
"server" or the like) because it has to know the specific path to the
CDP for the certificate. the CDP is embedded into the certificate so the
remote validator knows where to verify against it. (there's also a
method for distributing CRLs and installing them locally on systems, and
thus allowing you to use a CRL issuer *name* instead, but that's lame.)

you can have multiple CRLs for one certificate, hence the indexed
directive (URI.0, URI.1, etc.).

https://tools.ietf.org/html/rfc5280
https://tools.ietf.org/html/rfc5280#section-4.2.1.13

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
--
"Well, it wasn't actually dreadful. It was mildly lamentable."
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug