Re: Possibility to create CRL without the CA key
Thanks very much for the hints. Finally, I decided to generate CRL for three years and replace it, when something needs to be revoked, if ever. I think the support is not good. We will have to distribute the CRL issuer certificate to partner applications to be able to verify the CRL signature. And generally, the support and knowledge about indirect crl is low among developers... Viliam On 2.5.2011 14:00, Eisenacher, Patrick wrote: Hi Villiam, -Original Message- From: Viliam Durina Sent: Monday, May 02, 2011 12:50 PM To: openssl-users Subject: Possibility to create CRL without the CA key Hello, I'm doing my own CA with openssl and want to regularly generate CRLs. We plan limited use of the CA (say 1-2 certificates per year), so the CA private key is stored in a safe on a USB stick until it is used next time. But, as far as I know, we will need it to generate CRL quite often. I see two possible solutions: 1. be able to sign the CRL with another key, signed with that CA: is this possible? 2. generate the CRL with very long validity (say 1 year) and regenerate a new one when needed: isn't this breaking some PKI rules or common practices? A CA can delegate the issuance of CRLs to a CRL issuer by issuing that instance a certifiate with the key usage cRLSign. You can read up the details on that in RFC5280, chapter CRL and CRL Extensions Profile. HTH Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Possibility to create CRL without the CA key
Hodie IV Non. Mai. MMXI, Viliam Ďurina scripsit: Thanks very much for the hints. Finally, I decided to generate CRL for three years and replace it, when something needs to be revoked, if ever. I think the support is not good. We will have to distribute the CRL issuer certificate to partner applications to be able to verify the CRL signature. And generally, the support and knowledge about indirect crl is low among developers... That could lead to a problem with crypto toolkits that try to fetch a new CRL only when the actual has expired (it was a common behaviour some years ago, I don't know how this evolved). You could also pre-generate several CRLs, with a 1 month validity period, and disclose a new one regularly. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com - Mammifère : se dit d'un animal à squelette, poilu, qui donne du lait. Exemple : une noix de coco. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Possibility to create CRL without the CA key
That's what I'm not sure about either. I think the general knowledge about CRL is low among developers and administrators, considering mine and googled knowledge. I looked at verisign's Class 1 Public Primary Certification Authority crl and it has validity from 2011-03-22 until 2011-07-01. Quite long for such large organisation (http://crl.verisign.com/pca1.crl). Some quotations from RFC 5280: * The meaning of suitably recent may vary with local policy, but it usually means the most recently issued CRL. [i.e. not any, that's still valid] * Conforming applications are not required to support processing of (...) indirect CRLs * The next CRL could be issued before the indicated date, but it will not be issued any later than the indicated date. But there are also references, that CRL is considered valid until the next update date. We will use this method and re-download CRL every 60 minutes, without regard to the nextUpdate field. Viliam On 4.5.2011 12:32, Erwann ABALEA wrote: Hodie IV Non. Mai. MMXI, Viliam Ďurina scripsit: Thanks very much for the hints. Finally, I decided to generate CRL for three years and replace it, when something needs to be revoked, if ever. I think the support is not good. We will have to distribute the CRL issuer certificate to partner applications to be able to verify the CRL signature. And generally, the support and knowledge about indirect crl is low among developers... That could lead to a problem with crypto toolkits that try to fetch a new CRL only when the actual has expired (it was a common behaviour some years ago, I don't know how this evolved). You could also pre-generate several CRLs, with a 1 month validity period, and disclose a new one regularly. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Possibility to create CRL without the CA key
Hello, I'm doing my own CA with openssl and want to regularly generate CRLs. We plan limited use of the CA (say 1-2 certificates per year), so the CA private key is stored in a safe on a USB stick until it is used next time. But, as far as I know, we will need it to generate CRL quite often. I see two possible solutions: 1. be able to sign the CRL with another key, signed with that CA: is this possible? 2. generate the CRL with very long validity (say 1 year) and regenerate a new one when needed: isn't this breaking some PKI rules or common practices? Thanks, Viliam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Possibility to create CRL without the CA key
Hi Villiam, -Original Message- From: Viliam Durina Sent: Monday, May 02, 2011 12:50 PM To: openssl-users Subject: Possibility to create CRL without the CA key Hello, I'm doing my own CA with openssl and want to regularly generate CRLs. We plan limited use of the CA (say 1-2 certificates per year), so the CA private key is stored in a safe on a USB stick until it is used next time. But, as far as I know, we will need it to generate CRL quite often. I see two possible solutions: 1. be able to sign the CRL with another key, signed with that CA: is this possible? 2. generate the CRL with very long validity (say 1 year) and regenerate a new one when needed: isn't this breaking some PKI rules or common practices? A CA can delegate the issuance of CRLs to a CRL issuer by issuing that instance a certifiate with the key usage cRLSign. You can read up the details on that in RFC5280, chapter CRL and CRL Extensions Profile. HTH Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Possibility to create CRL without the CA key
read my post: http://www.mail-archive.com/openssl-users@openssl.org/msg63740.html On 11-05-02 06:50 AM, Viliam Ďurina wrote: Hello, I'm doing my own CA with openssl and want to regularly generate CRLs. We plan limited use of the CA (say 1-2 certificates per year), so the CA private key is stored in a safe on a USB stick until it is used next time. But, as far as I know, we will need it to generate CRL quite often. I see two possible solutions: 1. be able to sign the CRL with another key, signed with that CA: is this possible? 2. generate the CRL with very long validity (say 1 year) and regenerate a new one when needed: isn't this breaking some PKI rules or common practices? Thanks, Viliam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org