Be Nice ,......I am new
I Need Help with setting up CRL's
I run a small www site for a special group
I set up a Self signed CA
My Problem.......
each client has a cert that is checked
How do create a Proper crl cert
I tried..... but they still can log in
or MSIE says "cannot determine the validity of this certificate because
it cannot locate a valid certificate revocation list"
I seem to get a many *.crl files, but not 1 file containing all crl's
How do i generate a crl for a distrbution point?
(eg-http://www.rabbits-r-us.com/ca.crl)
below is a script i made that revokes a crt and does rehash, and my .cnf
file ....Am i missing something??
#!/bin/sh
crt=$1
CATOP=./CA
CAKEY=./ca.key
CACERT=./ca.crt
REV="$openssl ca -gencrl $SSLEAY_CONFIG"
VERIFY="$openssl verify"
X509="$openssl x509"
openssl="/sbin/openssl"
files=""
ser=`echo $crt | sed -e 's;\.crt$;;'`
csr=`echo $crt | sed 's;\.crt$;.csr;'`
crl=`echo $crt | sed 's;\.crt$;.crl;'`
files="$files $csr"
echo "$files"
echo "$ser: $crt"
$openssl ca -verbose $SSLEAY_CONFIG -revoke ${CATOP}/certs/$crt
$openssl ca -verbose -gencrl $SSLEAY_CONFIG -batch -out
${CATOP}/crl/$crl -infiles ${CATOP}/newcerts/$csr
$openssl crl -text -in ${CATOP}/crl/$crl
./ca_rehash.make ${CATOP}/certs/ ${CATOP}/crl/ ${CATOP}
EOF
#
# OpenSSL configuration file.
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl/ca.crl # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
preserve = no # keep passed DN ordering
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Ontario
localityName = Locality Name (eg, city)
localityName_default = Newmarket
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Rabbits R Us Technical Consulting
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Tech
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = [EMAIL PROTECTED]
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
crlDistributionPoints=URI:http://www.rabbits-r-us.com/ca.crl
nsCaRevocationUrl =http://www.rabbits-r-us.com/ca.crl
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
EOF
any Help would be Great
thanx in advance
[EMAIL PROTECTED]
(\ /)
\)_^_(/
=(_T_)=
_// \
()_() )
\ \
_/ (*)
((__((__/
Michael Harvey
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
