As long as nobody could help me I continued my search on my own and found the
following
http://tools.ietf.org/html/draft-ietf-pkix-ocdp-00
In chapter 3 you can find:
…Examples of CRL partition scopes are:
(1) All of the certificates of a CA with serial numbers between 10,000
and 19,999 inclusive.
…
The scope of a CRL is indicated within that CRL using the following CRL
extension:
cRLScope EXTENSION ::= {
SYNTAX CRLScopeSyntax
IDENTIFIED BY { oid tbd } }
CRLScopeSyntax ::= SEQUENCE {
serialNumberRange [0] NumberRange OPTIONAL,
subjectKeyIdRange [1] NumberRange OPTIONAL,
nameSubtrees[2] GeneralNames OPTIONAL,
notBeforeRange [3] NotBeforeRange OPTIONAL,
onlyContainsUserCerts [4] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [5] BOOLEAN DEFAULT FALSE,
onlySomeReasons [6] ReasonFlags OPTIONAL,
indirectCRL [7] BOOLEAN DEFAULT FALSE }
NumberRange ::= SEQUENCE {
startingNumber INTEGER,
endingNumberINTEGER,
modulus INTEGER OPTIONAL }
notBeforeRange ::= SEQUENCE {
startingNotBeforeTime GeneralizedTime,
endingNotBeforeTime GeneralizedTime }
….
What I had in mind (in my initial post) is something like the
serialNumberRange but now I don’t know how to handle it. Just copying the
crlscope into my crl extension section doesn’t work. In the following you
can see my openssl.cnf. When I try to create a CRL with the command „openssl
ca –gencrl –out my.crl“ I get the following error:
error on line 87 of config file `/opt/myca/openssl.cnf`
6434: error:0E066065:configuration file routines:CONF_load_bio:missing equal
sign:conf_def.c:366:line 87
Here is my openssl.cnf where I marked the line 87:
# I’ve added this but I guess that I’ll have to enter
something here because this ###section is quiet empty ;-)
oid_section = [ new_oids ]
[ new_oids ]
[ ca ]
default_ca = myca
[myca ]
dir = /opt/myca # Where everything is kept
certificate = $dir/cacert.pem # The CA certificate
database= $dir/index.txt# database index file.
new_certs_dir = $dir/certs# default place for new certs.
private_key = $dir/private/cakey.pem# The private key
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber
default_crl_hours= 1# how long before next CRL
default_days= 365 # how long to certify for
default_md = md5 # which md to use.
policy = myca_policy
x509_extensions = certificate_extensions
# copy_extensions = copy
crl_extensions = crl_ext
[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress= optional
organizationName= supplied
organizationalUnitName = optional
[certificate_extensions]
basicConstraints = CA:false
crlDistributionPoints= URI:http://192.168.0.2/my.crl
[ req ]
default_bits = 2048
default_keyfile = /opt/myca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ crl_ext ]
## and I’ve added this section
cRLScope EXTENSION ::= {##line 87
SYNTAX CRLScopeSyntax
IDENTIFIED BY { oid tbd } }
CRLScopeSyntax ::= SEQUENCE {
serialNumberRange [0] NumberRange OPTIONAL,
subjectKeyIdRange [1] NumberRange OPTIONAL,
nameSubtrees[2] GeneralNames OPTIONAL,
notBeforeRange [3] NotBeforeRange OPTIONAL,
onlyContainsUserCerts [4] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [5] BOOLEAN DEFAULT FALSE,
onlySomeReasons [6] ReasonFlags OPTIONAL,
indirectCRL [7] BOOLEAN DEFAULT FALSE }
NumberRange ::= SEQUENCE {
startingNumber INTEGER,
endingNumberINTEGER,
modulus INTEGER OPTIONAL }
notBeforeRange ::= SEQUENCE {
startingNotBeforeTime GeneralizedTime,
endingNotBeforeTime GeneralizedTime }
[ root_ca_distinguished_name ]
commonName = my CA
stateOrProvinceName = some state
countryName = US
organizationName = some organization
[ root_ca_extensions ]
basicConstraints = CA:true
Thank you for reading my post. I hope that somebody might help me to include
the crlScope stuff or help me with some other solution.
best regards domi
--
View this message in context:
http://www.nabble.com/Question-about-Partitioned-CRLs--how-to-split-a-CRL--tf3419056.html#a9549707
Sent from the OpenSSL - User mailing list archive at Nabble.com