Re: Generate a CRL from an OCSP request

Thu, 02 Jun 2005 01:45:09 -0700 

"Dr. Stephen Henson" <[EMAIL PROTECTED]> a écrit :


On Wed, Jun 01, 2005, Julien VEHENT wrote:


Hi all,

I'm having an OCSP Responder on my CA and i want to use it in order
to generate
CRL's on others servers.

So the idea is:

+-----+
| CA &|<====ocsp request====(1)===+-----------+>>(3)>
|ocsp |...........................|openvpn srv|......(CRL GENERATION)
+-----+=====ocsp response===(2)==>+-----------+<<(4)</

and with the ocsp response i want to generate a CRL.

For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have
several problems:

_How can i request all certificates managed by my CA in one ocsp request ?
(i don't want to copy all of these signed certificates on all of my openvpn
servers)

_How can i encode the response in PEM format in order to use it with
OpenVPN ?

I really want to use the OCSP protocol for several reason (including
security
consideration) so publication through HTTP protocol is not a good
solution for
me.


Could you help me ?... :)


OCSP can't really be used that way unless you include the serial numbers of
*all* that CAs certificates in the request. That could result in a very large
request and responder overhead.

What is your problem with HTTP? A CRL is digitally signed so it can't be
tampered with.





I don't want to use HTTP just because web server are to much attacked.
Moreover,
OCSP is very interesting for the student that i am :)

OK so if i use a "boring script" which request 100 serial in one line,
what is
the correct syntax to generate a CRL using the OpenSSL OCSP request ?

I've tried to use the -respout argument and a crl conversion (with openssl crl
-inform DER [...] -outform PEM [...] ) but it doesn't work...

the error message is : unable to load CRL

And the openssl ocsp --help doesn't speak about CRL generation......






Thank you very much for your answers :)




------------------------------------------------------------------
J. VEHENT

Student in Computer Security

[EMAIL PROTECTED]





------------------------------------------------------------------
 Microgate      |      02.47.66.95.01    |     www.microgate.fr

Attachment: pgpgNqAsVH9QJ.pgp
Description: Signature =?iso-8859-1?b?bnVt6XJpcXVl?= PGP

Attachment: bin1fMKTnvwJz.bin
Description: Clef publique PGP

Reply via email to