Re: Question about Partitioned CRLs; how to split a CRL?

2007-03-19 Thread domi 

As long as nobody could help me I continued my search on my own and found the
following
http://tools.ietf.org/html/draft-ietf-pkix-ocdp-00
In chapter 3 you can find:
…Examples of CRL partition scopes are:

(1)  All of the certificates of a CA with serial numbers between 10,000
and 19,999 inclusive.
…

The scope of a CRL is indicated within that CRL using the following CRL
extension:

cRLScope EXTENSION ::= {
SYNTAX  CRLScopeSyntax
IDENTIFIED BY   { oid tbd } }

CRLScopeSyntax ::= SEQUENCE {
serialNumberRange   [0] NumberRange OPTIONAL,
subjectKeyIdRange   [1] NumberRange OPTIONAL,
nameSubtrees[2] GeneralNames OPTIONAL,
notBeforeRange  [3] NotBeforeRange OPTIONAL,
onlyContainsUserCerts   [4] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [5] BOOLEAN DEFAULT FALSE,
onlySomeReasons [6] ReasonFlags OPTIONAL,
indirectCRL [7] BOOLEAN DEFAULT FALSE }

NumberRange ::= SEQUENCE {
startingNumber  INTEGER,
endingNumberINTEGER,
modulus INTEGER OPTIONAL }

notBeforeRange ::= SEQUENCE {
startingNotBeforeTime   GeneralizedTime,
endingNotBeforeTime GeneralizedTime }

….

What I had in mind (in my initial post) is something like the
serialNumberRange but now I don’t know how to handle it. Just copying the
crlscope into my crl extension section doesn’t work. In the following you
can see my openssl.cnf. When I try to create a CRL with the command „openssl
ca –gencrl –out my.crl“ I get the following error:
error on line 87 of config file `/opt/myca/openssl.cnf`
6434: error:0E066065:configuration file routines:CONF_load_bio:missing equal
sign:conf_def.c:366:line 87

Here is my openssl.cnf where I marked the line 87:

# I’ve added this but I guess that I’ll have to enter
something here because this ###section is quiet empty ;-)
oid_section = [ new_oids ]
[ new_oids ]

[ ca ]
default_ca  = myca

[myca ]

dir = /opt/myca # Where everything is kept
certificate = $dir/cacert.pem   # The CA certificate
database= $dir/index.txt# database index file.
new_certs_dir   = $dir/certs# default place for new certs.
private_key = $dir/private/cakey.pem# The private key
serial  = $dir/serial   # The current serial number
crlnumber   = $dir/crlnumber

default_crl_hours= 1# how long before next CRL
default_days= 365   # how long to certify for
default_md  = md5   # which md to use.

policy  = myca_policy
x509_extensions = certificate_extensions
# copy_extensions = copy
crl_extensions = crl_ext

[ myca_policy ]
commonName  = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress= optional
organizationName= supplied
organizationalUnitName  = optional


[certificate_extensions]
basicConstraints = CA:false
crlDistributionPoints= URI:http://192.168.0.2/my.crl 

[ req ]
default_bits = 2048
default_keyfile = /opt/myca/private/cakey.pem
default_md = md5

prompt = no
distinguished_name = root_ca_distinguished_name

x509_extensions = root_ca_extensions

[ crl_ext ]

## and I’ve added this section

cRLScope EXTENSION ::= {##line 87
SYNTAX  CRLScopeSyntax
IDENTIFIED BY   { oid tbd } }

CRLScopeSyntax ::= SEQUENCE {
serialNumberRange   [0] NumberRange OPTIONAL,
subjectKeyIdRange   [1] NumberRange OPTIONAL,
nameSubtrees[2] GeneralNames OPTIONAL,
notBeforeRange  [3] NotBeforeRange OPTIONAL,
onlyContainsUserCerts   [4] BOOLEAN DEFAULT FALSE,
onlyContainsCACerts [5] BOOLEAN DEFAULT FALSE,
onlySomeReasons [6] ReasonFlags OPTIONAL,
indirectCRL [7] BOOLEAN DEFAULT FALSE }

NumberRange ::= SEQUENCE {
startingNumber  INTEGER,
endingNumberINTEGER,
modulus INTEGER OPTIONAL }

notBeforeRange ::= SEQUENCE {
startingNotBeforeTime   GeneralizedTime,
endingNotBeforeTime GeneralizedTime }



[ root_ca_distinguished_name ]
commonName = my CA
stateOrProvinceName = some state
countryName = US
organizationName = some organization

[ root_ca_extensions ]
basicConstraints = CA:true

Thank you for reading my post. I hope that somebody might help me to include
the crlScope stuff or help me with some other solution.

best regards domi


-- 
View this message in context: 
http://www.nabble.com/Question-about-Partitioned-CRLs--how-to-split-a-CRL--tf3419056.html#a9549707
Sent from the OpenSSL - User mailing list archive at Nabble.com

Question about Partitioned CRLs; how to split a CRL?

2007-03-17 Thread domi 

Hello,

I’ve set up an Apache webserver for some testing purposes. I’ve also built
my own little CA, I can create certificates and CRLs (using the commandline
for everything). Everthing works quiet fine but now I’ve got the following
question concerning CRL Distribution Points / Partitioned CRLs.

Assume that I’ve got a lot of certificates and and lot of them are revoked.
Is it possible to create a CRL (called A) for the first part of my
certificates and a second CRL (called B) for the second part of my
certitificates?
Going one step further, I want to have a look at my index.txt (where I can
find all my issued certificates) and create a CRL telling openssl the range
of the certificates. Is there a command (an option or something else) that
my CRL will begin with the certificate X (serialnumber X) and end with the
certificate Y (serialnumber Y)?

I’m thankful for any ideas. Please let me know if you need further
information like my config-files or something else.

best regards domi

-- 
View this message in context: 
http://www.nabble.com/Question-about-Partitioned-CRLs--how-to-split-a-CRL--tf3419056.html#a9529138
Sent from the OpenSSL - User mailing list archive at Nabble.com.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]