| Michael Leone on 18 Jun 2019 12:46:11 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| [PLUG] CA Certificates and crls |
So I hope somebody here can help me out. so I don't have to join another list for just a couple questions. I am creating my own Certificate Authority, using Debian 9.9 (been so long since I used Debian, but it all comes back ...) Anyway, I can create the private key, and the root CA, and all seems good. It's the crl that I'm having an issue with. This CA is intended to be an offline root CA, and there will be a sub-CA (on Windows) that actually issues the certs to the web servers and devices. That's Best Practice, I am told. Now, I'm told that the offline root CA *must* have a crl (certificate revocation list) for Windows to fully verify the length of the certificate chain, and this crl file will be held in a CDP (CRL Distribution Point) which effectively is just a website holding crl files. Creating a crl file for the CA is easy enough - openssl ca -gencrl - but it's the example openssl.cnf parts that are confusing me. Most have something like this: [ server_cert ] crlDistributionPoints = @crl_info [crl_info] URI.0 = http://crl.grilledcheese.us/whomovedmycheese.crl Now, the part confusing me is that the URI.0 seems to specify a single crl file, for a specific cert. I would have thought it to just be the URL of where the crl file will live, and not be hardcoded to a single filename. Why isn't URI.0 just the webserver name http://crl.grilledcheese.us/? Why does it have the name of the crl generated for the root ca cert, in this example? https://devcentral.f5.com/s/articles/building-an-openssl-certificate-authority-configuring-crl-and-ocsp-27897 What concept am I missing here? Is it that the URI.0 is the name of the single file full of revoked certificates, along with the website URL? And that, despite the plural in the "crlDistributionPoints" variable, it points to a single file in a single webserver? -- Michael J. Leone, <mailto:turgon@mike-leone.com> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos> Just backpacking through the Uncanny Valley .... ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug