For the serial number that i was referring to: if you look at the
content of one of the client-side certs i issued:
========================================================
% openssl x509 -in foo.cert -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 5 (0x5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: ....
Validity
...
Subject: ...
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
......
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
a3:c2:31:d3:ea:c9:67:46:1c:5a:59:15:45:51:ef:c8:2d:99:
========================================================
you will find the line:
Serial Number: 5 (0x5)
Or if you visit:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/7.3/html/Administration_Guide/Administration_Guide-Introduction_to_CRL_Extensions-Sample_CRL_and_CRL_Entry_Extensions.html
you will see the following:
========================================================
Certificate Revocation List:
Data:
Version: v2
...
Extensions:
Identifier: Authority Key Identifier
...
Serial Number: 0x12
...
========================================================
In order to implement a simple CRL on my server (really a
[private|local] CA + reverse proxy), i plan to rely on the serial
numbers. However, i can't find any info about retrieving the serial
number of an incoming cert. Or should i simply use the CN as in:
req.connection.getPeerCertificate().subject.CN
instead since there is one-one-correspondence between CNs and the
serial numbers.
A quick question: when the client connects with X.509 certs, is the
serial number info available in the entire SSL/TLS handshake process?
Thanks.
On Wed, Aug 7, 2013 at 7:16 AM, Ben Noordhuis <[email protected]> wrote:
> On Wed, Aug 7, 2013 at 6:27 AM, ming <[email protected]> wrote:
> > Hi,
> > i have been running a [private|local] CA which also functions as a
> reverse
> > proxy. i issue X.509 client-side certs with this CA for programming API
> > access authentication. Now i am contemplating the implementation of some
> > simple home-brewed CRL-like revocation mechanism. Obviously that
> requires
> > my node.js program to inspect the serial number of the X.509 cert the
> client
> > presents.
> >
> > However, it is not clear to me what the best way is to get the serial
> number
> > of the X.509 cert presented for the incoming request. i've been using
> the
> > following:
> > req.connection.getPeerCertificate().subject
> > to retrieve subjects but i don't know where to find the serial number of
> a
> > cert.
> >
> > Thanks.
>
> When you say "serial number", to what specific X.509 field
> (distinguished name, OID) are you referring?
>
> --
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to [email protected]
> To unsubscribe from this group, send email to
> [email protected]
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "nodejs" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/nodejs/dCnPsMt3wNo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
