info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Offline Root CA and CRL generation
409 views
Skip to first unread message
Sven Dreyer
Mar 15, 2013, 10:53:37 AM3/15/13
to
Hi List,
I would like to setup an OpenSSL-based offline Root CA.
Certificates issued by this Root CA contain a CDP.
I would like to issue CRLs every 3 days, which would mean that I would
have to take the offline Root CA online each 3 days.
Is there a way to let the Root CA issue a "CRL signer certificate",
which can then run on a different machine for CRL signature?
For OCSP it seems to be possbile (RFC2560, 2.6 - "OCSP Signature
Authority Delegation"). Does anybody know whether it's possible for
CRL's using OpenSSL?
Thanks for any advice,
Sven
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
I would like to setup an OpenSSL-based offline Root CA.
Certificates issued by this Root CA contain a CDP.
I would like to issue CRLs every 3 days, which would mean that I would
have to take the offline Root CA online each 3 days.
Is there a way to let the Root CA issue a "CRL signer certificate",
which can then run on a different machine for CRL signature?
For OCSP it seems to be possbile (RFC2560, 2.6 - "OCSP Signature
Authority Delegation"). Does anybody know whether it's possible for
CRL's using OpenSSL?
Thanks for any advice,
Sven
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Sven Dreyer
Mar 15, 2013, 11:11:17 AM3/15/13
to
Hi Matthew,
Am 15.03.2013 16:03, schrieb Matthew Hall:
> Read about the cRLSign KeyUsage bit. This is how it is usually
> handled.
I already let the Root CA issue a certificate with "keyUsage = cRLSign"
and used that certificate to sign the CRL, but my colleague's Windows
machine refused to accept the CRL signed that way.
The problem went away when I directly signed the CRL with the Root CA
certificate, so I thought I did something wrong or it's simply not possible.
Thanks,
Am 15.03.2013 16:03, schrieb Matthew Hall:
> Read about the cRLSign KeyUsage bit. This is how it is usually
> handled.
I already let the Root CA issue a certificate with "keyUsage = cRLSign"
and used that certificate to sign the CRL, but my colleague's Windows
machine refused to accept the CRL signed that way.
The problem went away when I directly signed the CRL with the Root CA
certificate, so I thought I did something wrong or it's simply not possible.
Thanks,
Erwann Abalea
Mar 15, 2013, 11:16:48 AM3/15/13
to
X.509 allows for a self-signed certificate dedicated to CRL signing
(with the same name, of course). But that's not acceptable for RFC5280.
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable for
RFC5280, but you'll have to check with your clients. And find a way to
distribute this certificate.
--
Erwann ABALEA
Le 15/03/2013 15:53, Sven Dreyer a écrit :
> Hi List,
>
> I would like to setup an OpenSSL-based offline Root CA.
>
> Certificates issued by this Root CA contain a CDP.
>
> I would like to issue CRLs every 3 days, which would mean that I would
> have to take the offline Root CA online each 3 days.
>
> Is there a way to let the Root CA issue a "CRL signer certificate",
> which can then run on a different machine for CRL signature?
>
> For OCSP it seems to be possbile (RFC2560, 2.6 - "OCSP Signature
> Authority Delegation"). Does anybody know whether it's possible for
> CRL's using OpenSSL?
>
> Thanks for any advice,
(with the same name, of course). But that's not acceptable for RFC5280.
You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable for
RFC5280, but you'll have to check with your clients. And find a way to
distribute this certificate.
--
Erwann ABALEA
Le 15/03/2013 15:53, Sven Dreyer a écrit :
> Hi List,
>
> I would like to setup an OpenSSL-based offline Root CA.
>
> Certificates issued by this Root CA contain a CDP.
>
> I would like to issue CRLs every 3 days, which would mean that I would
> have to take the offline Root CA online each 3 days.
>
> Is there a way to let the Root CA issue a "CRL signer certificate",
> which can then run on a different machine for CRL signature?
>
> For OCSP it seems to be possbile (RFC2560, 2.6 - "OCSP Signature
> Authority Delegation"). Does anybody know whether it's possible for
> CRL's using OpenSSL?
>
> Thanks for any advice,
Sven Dreyer
Mar 15, 2013, 12:01:28 PM3/15/13
to
Hi Erwann,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
> You can generate a self-issued certificate dedicated to CRL signing
> (same name, different key, signed by your root). That's acceptable
> for RFC5280, but you'll have to check with your clients. And find a
> way to distribute this certificate.
I'm not sure whether I got it right.
My Root CA is named "Foobar Root CA" with keypair (A).
I would then let "Foobar Root CA" issue a certificate for "Foobar Root
CA" with keypair (B) and attribute "keyUsage = cRLSign".
I would then use the certificate for keypair (B) to sign the CRL.
Then, I would distribute the certificates for "Foobar Root CA" (A) and
"Foobar Root CA" (B) to my clients' trusted CA stores.
Is this the way you pointed me to?
Thanks,
Am 15.03.2013 16:16, schrieb Erwann Abalea:
> You can generate a self-issued certificate dedicated to CRL signing
> (same name, different key, signed by your root). That's acceptable
> for RFC5280, but you'll have to check with your clients. And find a
> way to distribute this certificate.
My Root CA is named "Foobar Root CA" with keypair (A).
I would then let "Foobar Root CA" issue a certificate for "Foobar Root
CA" with keypair (B) and attribute "keyUsage = cRLSign".
I would then use the certificate for keypair (B) to sign the CRL.
Then, I would distribute the certificates for "Foobar Root CA" (A) and
"Foobar Root CA" (B) to my clients' trusted CA stores.
Is this the way you pointed me to?
Thanks,
Erwann Abalea
Mar 15, 2013, 12:36:19 PM3/15/13
to
Le 15/03/2013 17:01, Sven Dreyer a écrit :
> Hi Erwann,
>
> Am 15.03.2013 16:16, schrieb Erwann Abalea:
>> You can generate a self-issued certificate dedicated to CRL signing
>> (same name, different key, signed by your root). That's acceptable
>> for RFC5280, but you'll have to check with your clients. And find a
>> way to distribute this certificate.
>
> I'm not sure whether I got it right.
>
> My Root CA is named "Foobar Root CA" with keypair (A).
>
> I would then let "Foobar Root CA" issue a certificate for "Foobar Root
> CA" with keypair (B) and attribute "keyUsage = cRLSign".
>
> I would then use the certificate for keypair (B) to sign the CRL.
>
> Then, I would distribute the certificates for "Foobar Root CA" (A) and
> "Foobar Root CA" (B) to my clients' trusted CA stores.
>
> Is this the way you pointed me to?
Yes. That's one possible solution (possible from a PKI point of view).
> Hi Erwann,
>
> Am 15.03.2013 16:16, schrieb Erwann Abalea:
>> You can generate a self-issued certificate dedicated to CRL signing
>> (same name, different key, signed by your root). That's acceptable
>> for RFC5280, but you'll have to check with your clients. And find a
>> way to distribute this certificate.
>
> I'm not sure whether I got it right.
>
> My Root CA is named "Foobar Root CA" with keypair (A).
>
> I would then let "Foobar Root CA" issue a certificate for "Foobar Root
> CA" with keypair (B) and attribute "keyUsage = cRLSign".
>
> I would then use the certificate for keypair (B) to sign the CRL.
>
> Then, I would distribute the certificates for "Foobar Root CA" (A) and
> "Foobar Root CA" (B) to my clients' trusted CA stores.
>
> Is this the way you pointed me to?
Another solution would be to play with indirect CRLs. That involves
issuing a certificate (with a different name, for example "Foobar CRL
Signer") dedicated to CRL signing, specifying its name in the
CRLDistributionPoints of your issued certificates, and sign the CRL with
this certificate+private key (Foobar CRL Signer). That CRL must have a
critical IssuingDistributionPoint extension with the indirectCRL set to
true, and at least the first revocation entry must have an extension
indicating its issuer name (Foobar Root CA). "Foobar CRL Signer" may be
issued under a completely different trust chain.
I don't know how well this second solution is supported by clients, and
I suppose that the "Foobar CRL Signer" certificate should itself have a
CRLDP extension pointing to a valid CRL, etc.
Sven Dreyer
Mar 15, 2013, 12:51:10 PM3/15/13
to
Hi Erwann,
Am 15.03.2013 17:36, schrieb Erwann Abalea:
> Yes. That's one possible solution (possible from a PKI point of view).
>
> Another solution would be to play with indirect CRLs. That involves
Thank you very much for your explanations, I will try these scenarios.
Thanks, Sven
Am 15.03.2013 17:36, schrieb Erwann Abalea:
> Yes. That's one possible solution (possible from a PKI point of view).
>
> Another solution would be to play with indirect CRLs. That involves
Thanks, Sven
0 new messages