Re: Generic question on CRL use

2008-06-16 Thread Patrick Patterson
On June 16, 2008 12:46:56 pm Gilles Cuesta wrote:
> 2008/6/16 Michael Ströder <[EMAIL PROTECTED]>:
> > Gilles Cuesta wrote:
> >> So, at a time, we have 2 ClientCA with different key and different
> >> validity period, but same DN.
> >
> > This is bad practice. Try searching for "CA key roll-over".
>
> I found docs about it, but proprietary PKI, and couldn't know if this
> feature is implemented ...
>
Check the IETF PKIX mailing list. There is a thread there by Santosh Chokhani 
and Stefan Santesson that goes into this. Short answer is - you can do what 
you want, but it's REALLY tricky, and Michael is right - best practice is to 
version your CA's. (so the current one is CA1, the next one is CA2, etc.)

> >> The problem is, when verifying client cert work with both ClientCA
> >> stacked; but when using CRL, old clients work only if CRL is signed by
> >> old ClientCA.
> >
> > Well, you asked for trouble...
> >
> > You could try to add the authorityKeyIdentifier extension to the CRL if
> > it's also present in the CA certs. This could work with some software.
>
> Here we are :D
>
Ummm I think you mean that you want to have, in the CRL DP in the client 
certificate, the crlIssuer field of the CRL DP - problem is that 90% of the 
software out there (Apache included) won't deal with it.

BTW: To handle the case that you are trying to do, there was a patch sent in 
by  Erwann ABALEA from Keynectis to the OpenSSL Users mailing list in 
January/February this year, IIRC. Perhaps you could try that - you'd have to 
do some fairly exotic things to mod_ssl, mind you to get it to work :)

I'm with Michael - stop using the same name each time. Version your CAs.

Have fun.

-- 
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Re: Generic question on CRL use

2008-06-16 Thread Michael Ströder

Gilles Cuesta wrote:

2008/6/16 Michael Ströder <[EMAIL PROTECTED]>:

Gilles Cuesta wrote:

So, at a time, we have 2 ClientCA with different key and different
validity period, but same DN.

This is bad practice. Try searching for "CA key roll-over".


I found docs about it, but proprietary PKI, and couldn't know if this
feature is implemented ...


It's not a "feature"! Pretty sure there are docs out there describing 
best practices when conducting a CA key roll-over. One of the best 
practices is to change the subject DN of the CA entity cert.



You could try to add the authorityKeyIdentifier extension to the CRL if it's
also present in the CA certs. This could work with some software.

  X509v3 Authority Key Identifier:
   keyid:56:4D:A9...

But it doesn't work asis, issuing "signature verification error" in
apache error logs ...


Glad you learned so soon that it's better to rework your re-newed sub-CA 
cert. ;-)


Ciao, Michael.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Re: Generic question on CRL use

2008-06-16 Thread Gilles Cuesta
2008/6/16 Michael Ströder <[EMAIL PROTECTED]>:
> Gilles Cuesta wrote:
>>
>> So, at a time, we have 2 ClientCA with different key and different
>> validity period, but same DN.
>
> This is bad practice. Try searching for "CA key roll-over".

I found docs about it, but proprietary PKI, and couldn't know if this
feature is implemented ...

>
>> The problem is, when verifying client cert work with both ClientCA
>> stacked; but when using CRL, old clients work only if CRL is signed by
>> old ClientCA.
>
> Well, you asked for trouble...
>
> You could try to add the authorityKeyIdentifier extension to the CRL if it's
> also present in the CA certs. This could work with some software.
>

Here we are :D

apache.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
...
X509v3 Authority Key Identifier:
keyid:B8:85:B4...

apache-caclient.cer
Certificate:
...
Validity
Not Before: Feb 29 12:23:38 2007 GMT
Not After : Feb 29 12:23:58 2011 GMT
...
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
...
X509v3 Subject Key Identifier:
B8:85:B4...
X509v3 Authority Key Identifier:
keyid:56:4D:A9...

apache-caclient-old.cer
Certificate:
...
Validity
Not Before: May 18 14:35:12 2005 GMT
Not After : May 18 14:35:12 2009 GMT
...
   X509v3 extensions:
   X509v3 Key Usage: critical
   Certificate Sign, CRL Sign
...
   X509v3 Subject Key Identifier:
   87:1D:FC...
  X509v3 Authority Key Identifier:
   keyid:56:4D:A9...

But it doesn't work asis, issuing "signature verification error" in
apache error logs ...

Is there something to be modified in Apache/Modssl conf ?

Thank you
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


Re: Generic question on CRL use

2008-06-16 Thread Michael Ströder

Gilles Cuesta wrote:

So, at a time, we have 2 ClientCA with different key and different
validity period, but same DN.


This is bad practice. Try searching for "CA key roll-over".


The problem is, when verifying client cert work with both ClientCA
stacked; but when using CRL, old clients work only if CRL is signed by
old ClientCA.


Well, you asked for trouble...

You could try to add the authorityKeyIdentifier extension to the CRL if 
it's also present in the CA certs. This could work with some software.


But my strong recommendation: Fix your 2nd ClientCA cert.

Ciao, Michael.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]