Geek Answers Handbook

How to create a certificate using openssl, including a CRL distribution point?

I am having problems using openssl to create an x509 certificate containing the crl distribution point for testing.

I checked the documentation and found crlDistributionPoints settings for this purpose. Unfortunately, openssl always generates x509 version 1 certificates instead of version 3 certificates with a crl distribution point. I am sure that something is wrong with my team or configuration, but carefully read the documentation and the game with the setup did not help. Other settings from the configuration file are considered so that I am sure that the file itself is used by openssl.

I use the command

openssl x509 -req -in $NAME.csr -out certs/$NAME.pem -days 3650 -CAcreateserial -CA cacert.pem -CAkey private/cakey.pem -CAserial serial

I am using the following configuration file:

 [ ca ] default_ca = CA_default [ CA_default ] dir = /home/ca database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem serial = $dir/serial private_key = $dir/private/cakey.pem RANDFILE = $dir/private/.rand default_days = 3650 default_crl_days = 30 default_md = md5 policy = policy_any email_in_dn = no name_opt = ca_default cert_opt = ca_default copy_extensions = none x509_extensions = extensions_section [ extensions_section ] crlDistributionPoints=URI:http://example.com/crl.pem [ policy_any ] countryName = supplied stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional

Any ideas?

+4
source share
1 answer

openssl x509 does not read the extension configuration mentioned above in your configuration file.

You can get crlDistributionPoints in your certificate in (at least) two ways:

  • Use openssl ca instead of x509 to sign the request. Go through -config as needed if your configuration is not in the default location. Most of your provided command can be used if you omit options starting with -CA

    openssl ca -in $NAME.csr -out certs/$NAME.pem -days 3650

  • Use the command as you indicated in your question, but first create a file containing your v3 extensions (i.e. mycrl.cnf ); add the -extfile mycrl.cnf option to your openssl x509 call

     openssl x509 -req -in $NAME.csr -out certs/$NAME.pem -days 3650 \ -CAcreateserial -CA cacert.pem -CAkey private/cakey.pem \ -CAserial serial -extfile mycrl.cnf`

    Where mycrl.cnf contains the following:

    crlDistributionPoints=URI:http://example.com/crl.pem

openssl ca is probably better suited for what you want to do, since most of the examples you find rely on this command using various settings in openssl.cnf for v3 extensions.

Aside: it is impractical to use the MD5 message digest in certificates.

Previously, SHA1 was the recommended alternative to MD5, however it is also becoming obsolete. You can specify the message digest used in requests and signatures, and you can list the supported message digests with openssl list-message-digest-commands .

As an example, you can use SHA256 when signing a request with the -md sha256 option before openssl ca (or setting default_md=sha256 in the configuration section [CA_default] ).

+12
source

More articles:


All Articles