Dear all,
I am building a private PKI using the openssl "ca" functionality.
My setup includes a root CA that issues intermediate certificates and intermediate CAs issuing endpoint certificates.
I would like to be able to automate the process of updating CRLs in order to be able to keep the CRL validity time short.
At the same time, I do not want to store passwords used for certificate creation in cleartext anywhere.
My current approach to achieve this is a separate CA only responsible for revocation.
My understanding is that such a CA is called an "indirect CRL issuer" so I'll refer to this separate CA in my setup as "indirect-revoker".
The indirect-revoker needs to be able to revoke intermediate certificates issued by the root CA as well as endpoint certificates issued by the intermediate CAs.
This is what I did configuration-wise:
I referred to the indirect-revoker in the crlDistributionPoints setting as follows:
crlDistributionPoints = my_cdp
...
[ my_cdp ]
fullname = URI:file:///home/me/tmp/ca3/intermediate/indirect-revoker/crl/ca.crl.pem
CRLissuer = dirName:crl_issuer_section
[ crl_issuer_section ]
C = DE
O = My Organization
OU = My organizational unit
CN = indirect-revoker
The generated certs contain the desired information, so that seems okay:
$ openssl x509 -in ~/tmp/ca3/intermediate/revoked/certs/ca.cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4097 (0x1001)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, O = My Organization, OU = My organizational unit, CN = rootca
Validity
Not Before: Mar 10 12:37:52 2022 GMT
Not After : Feb 14 12:37:52 2122 GMT
Subject: C = DE, O = My Organization, OU = My organizational unit, CN = revoked
Subject Public Key Info:
...
X509v3 extensions:
....
X509v3 CRL Distribution Points:
Full Name:
URI:file:///home/me/tmp/ca3/intermediate/indirect-revoker/crl/ca.crl.pem
CRL Issuer:
DirName:C = DE, O = My Organization, OU = My organizational unit, CN = indirect-revoker
Signature Algorithm: sha256WithRSAEncryption
....
To activate the indirect CRL mode I have added the following crl extensions to indirect-revoker's config:
crl_extensions = crl_ext
....
[ crl_ext ]
authorityKeyIdentifier=keyid:always
issuingDistributionPoint = critical, @idp_section
[idp_section]
indirectCRL = TRUE
This seems to work so far, or at least it is included in the text output of crls generated that way:
$ openssl crl -in crl/ca.crl.pem -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, O = My Organization, OU = My organizational unit, CN = indirect-revoker
Last Update: Mar 10 10:32:30 2022 GMT
Next Update: Apr 9 10:32:30 2022 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:50:54:61:18:41:51:EF:1A:08:CA:D7:CF:B7:4F:C7:05:B8:C3:41:D1
X509v3 Issuing Distribution Point: critical
Indirect CRL
X509v3 CRL Number:
4096
Revoked Certificates:
Serial Number: 1001
Revocation Date: Mar 10 10:32:30 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
...
Now section 5.3.3 in RFC 5280 [1] states that crl entries in indirect CRLs need to include the information which CA issued the revoked certificate.
As can be seen in the text output above the CRL Entry only contains the CRL Number but not the certificate issuer, which I believe is needed to properly match the CRL entry to the revoked certificate.
Sure enough the verification still recognizes revoked certs included in the crl as valid:
$ openssl verify -CAfile ~/tmp/ca3/rootca/certs/ca.cert.pem -CRLfile ~/tmp/ca3/intermediate/indirect-revoker/crl/ca.crl.pem ~/tmp/ca3/intermediate/revoked/certs/ca.cert.pem
/home/me/tmp/ca3/intermediate/revoked/certs/ca.cert.pem: OK
So my question is: how do I get this piece of information into the CRL?
The openssl documentation [2] explicitly states that the -crlexts option is not meant for this:
"The CRL extensions specified are CRL extensions and not CRL entry extensions. "
I could not find any other options that looked appropriate.
I also inspected the openssl source code [3] and it looks to me as if the filename of the revoked certificate is never written to the "index" file, so I do not think that it can simply be read from the revoked certificate upon CRL generation.
What am I missing? Any hints would be greatly appreciated!
Kind regards,
edr
[1] https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.3
[2] https://www.openssl.org/docs/man3.0/man1/openssl-ca.html
[3] https://github.com/openssl/openssl/blob/5979596247a73d1aec7310e4da0b6023ffd79623/apps/ca.c#L2165
