Re: Question about Partitioned CRLs; how to split a CRL?

domi Mon, 19 Mar 2007 02:49:19 -0800

As long as nobody could help me I continued my search on my own and found the
following
http://tools.ietf.org/html/draft-ietf-pkix-ocdp-00
In chapter 3 you can find:
…Examples of CRL partition scopes are:


(1)  All of the certificates of a CA with serial numbers between 10,000
and 19,999 inclusive.
…

The scope of a CRL is indicated within that CRL using the following CRL
extension:

cRLScope EXTENSION ::= {
        SYNTAX  CRLScopeSyntax
        IDENTIFIED BY   { <oid tbd> } }

CRLScopeSyntax ::= SEQUENCE {
        serialNumberRange       [0] NumberRange OPTIONAL,
        subjectKeyIdRange       [1] NumberRange OPTIONAL,
        nameSubtrees            [2] GeneralNames OPTIONAL,
        notBeforeRange          [3] NotBeforeRange OPTIONAL,
        onlyContainsUserCerts   [4] BOOLEAN DEFAULT FALSE,
        onlyContainsCACerts     [5] BOOLEAN DEFAULT FALSE,
        onlySomeReasons         [6] ReasonFlags OPTIONAL,
        indirectCRL             [7] BOOLEAN DEFAULT FALSE }

NumberRange ::= SEQUENCE {
        startingNumber          INTEGER,
        endingNumber            INTEGER,
        modulus                 INTEGER OPTIONAL }

notBeforeRange ::= SEQUENCE {
        startingNotBeforeTime   GeneralizedTime,
        endingNotBeforeTime     GeneralizedTime }

….

What I had in mind (in my initial post) is something like the
serialNumberRange but now I don’t know how to handle it. Just copying the
crlscope into my crl extension section doesn’t work. In the following you
can see my openssl.cnf. When I try to create a CRL with the command „openssl
ca –gencrl –out my.crl“ I get the following error:
error on line 87 of config file `/opt/myca/openssl.cnf`
6434: error:0E066065:configuration file routines:CONF_load_bio:missing equal
sign:conf_def.c:366:line 87

Here is my openssl.cnf where I marked the line 87:

################# I’ve added this but I guess that I’ll have to enter
something here because this ###########section is quiet empty ;-)
oid_section = [ new_oids ]
[ new_oids ]
################
[ ca ]
default_ca      = myca

[myca ]

dir             = /opt/myca                     # Where everything is kept
certificate     = $dir/cacert.pem               # The CA certificate
database        = $dir/index.txt                # database index file.
new_certs_dir   = $dir/certs            # default place for new certs.
private_key     = $dir/private/cakey.pem        # The private key
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber

default_crl_hours= 1                    # how long before next CRL
default_days    = 365                   # how long to certify for
default_md      = md5                   # which md to use.

policy          = myca_policy
x509_extensions = certificate_extensions
# copy_extensions = copy
crl_extensions = crl_ext

[ myca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = optional
organizationName        = supplied
organizationalUnitName  = optional


[certificate_extensions]
basicConstraints = CA:false
crlDistributionPoints= URI:http://192.168.0.2/my.crl 

[ req ]
default_bits = 2048
default_keyfile = /opt/myca/private/cakey.pem
default_md = md5

prompt = no
distinguished_name = root_ca_distinguished_name

x509_extensions = root_ca_extensions

[ crl_ext ]

############################################## and I’ve added this section

cRLScope EXTENSION ::= {                ##line 87
        SYNTAX  CRLScopeSyntax
        IDENTIFIED BY   { <oid tbd> } }

CRLScopeSyntax ::= SEQUENCE {
        serialNumberRange       [0] NumberRange OPTIONAL,
        subjectKeyIdRange       [1] NumberRange OPTIONAL,
        nameSubtrees            [2] GeneralNames OPTIONAL,
        notBeforeRange          [3] NotBeforeRange OPTIONAL,
        onlyContainsUserCerts   [4] BOOLEAN DEFAULT FALSE,
        onlyContainsCACerts     [5] BOOLEAN DEFAULT FALSE,
        onlySomeReasons         [6] ReasonFlags OPTIONAL,
        indirectCRL             [7] BOOLEAN DEFAULT FALSE }

NumberRange ::= SEQUENCE {
        startingNumber          INTEGER,
        endingNumber            INTEGER,
        modulus                 INTEGER OPTIONAL }

notBeforeRange ::= SEQUENCE {
        startingNotBeforeTime   GeneralizedTime,
        endingNotBeforeTime     GeneralizedTime }

################################################

[ root_ca_distinguished_name ]
commonName = my CA
stateOrProvinceName = some state
countryName = US
organizationName = some organization

[ root_ca_extensions ]
basicConstraints = CA:true

Thank you for reading my post. I hope that somebody might help me to include
the crlScope stuff or help me with some other solution.

best regards domi


-- 
View this message in context: 
http://www.nabble.com/Question-about-Partitioned-CRLs--how-to-split-a-CRL--tf3419056.html#a9549707
Sent from the OpenSSL - User mailing list archive at Nabble.com.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Re: Question about Partitioned CRLs; how to split a CRL?

Reply via email to