Subject: CA Task #2: Revoke a Certificate
Author: authen
In response to: CA Task #1: Sign a Certificate Request
Posted on: 03/15/2008 06:14:32 PM
To revoke a certificate simply issue the command:
C:\Program Files\OpenSSL\myCA>openssl ca -config openssl.cnf -policy policy_anything \
-keyfile cakey.pem -cert cacert.pem -revoke certnew.pem
Using configuration from openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for cakey.pem:<passphrase>
Revoking Certificate 01.
Data Base Updated
Noticed that the database file 'index.txt' has been updated and the certificate is marked as
R (revoked).
For this certificate's revocation to be publicly known, the CA need to update its CRL (Certificate Revocation List) accordingly.
C:\Program Files\OpenSSL\myCA>openssl ca -gencrl -config openssl.cnf -keyfile cakey.pem \
-cert cacert.pem -crldays 7 -out myCA.crl
Using configuration from openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for cakey.pem:<passphrase>
This will retrieve revocation information from database file 'index.txt' and compile them into CRL and put into file 'myCA.crl' -- which is valid and should be updated 7 (-crldays) days after.
This CRL file 'myCA.crl' should be made accessible via HTTP or LDAP.
>
> On 03/07/2008 07:55:14 PM
authen wrote:
Signing a certificate request means that you have yourself assured the authenticity of the certificate. To sign any message, you create its hash, and then encrypt the hash with your private key, you then add the encrypted hash and your signed certificate with the message. The recipient will recreate the message hash, decrypts the encrypted hash using your well known public key stored in your signed certificate, check that both hash are equals and finally check the certificate.
A certificate request is created by a client and brought here for your CA's trust or endorsement. The creation of client's certificate and request is out of the CA camp, but the process is briefed here for the sake of completeness.
Client: Generate a private key
C:\OpenSSL\client>openssl genrsa -des3 -out privkey.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.......................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase for privkey.pem:<passphrase>
Verifying - Enter pass phrase for privkey.pem:<passphrase>
Client: Generate a certificate request
C:\OpenSSL\client>openssl req -new -key privkey.pem -out cert.csr
Enter pass phrase for privkey.pem:<passphrase>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:CA
Locality Name (eg, city) []:Sunnyvale
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test Inc
Organizational Unit Name (eg, section) []:Test Department
Common Name (eg, YOUR name) []:MyTestServer
Email Address []:MyTestServer@testinc.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<password>
An optional company name []:MyTestProxyServer
CA: Sign a certificate request
Once you have the certificate request 'cert.csr' from the client, you can go ahead to sign it. If this is the first request for your CA, make sure that the file 'index.txt' is empty and that the file 'serial' contains 01.
C:\OpenSSL\myCA>openssl ca -config openssl.cnf -policy policy_anything \
-keyfile cakey.pem -cert cacert.pem -out certnew.pem -days 365 -infiles cert.csr
Using configuration from openssl.conf
Loading 'screen' into random state - done
Enter pass phrase for cakey.pem:<passphrase>
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 6 23:46:32 2008 GMT
Not After : Mar 6 23:46:32 2009 GMT
Subject:
countryName = US
stateOrProvinceName = CA
localityName = Sunnyvale
organizationName = Test Inc
organizationalUnitName = Test Department
commonName = MyTestServer
emailAddress = MyTestServer@testinc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AE:C7:10:89:AE:81:D2:1B:86:06:B1:03:E6:E0:83:D9:9C:6C:40:A6
X509v3 Authority Key Identifier:
keyid:18:DE:C7:F0:44:60:79:9D:B4:37:DC:EC:2D:74:54:9F:32:96:44:B
8
Certificate is to be certified until Mar 6 23:46:32 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This will sign the request 'cert.csr' using your CA's private key 'cacert.pem' and public certificate 'cacert.pem', and commit the certificate as 'certnew.pem'. For management purpose, your CA will automatically generate a identical copy 'xx.pem' under directory ./newcerts. Also beware that the tracking index file 'index.txt' and sequence number file 'serial' have been updated accordingly.
The file 'certnew.pem' is the response to client's request and should be sent back to your client. Here is what the file looks like:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Francisco, O=Open CA, OU=Open CA,
CN=My Root CA
Validity
Not Before: Mar 6 23:46:32 2008 GMT
Not After : Mar 6 23:46:32 2009 GMT
Subject: C=US, ST=CA, L=Sunnyvale, O=Test Inc, OU=Test Department,
CN=MyTestServer/emailAddress=MyTestServer@testinc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d7:1d:5a:2c:0e:63:c5:3c:1a:94:bf:db:84:90:
00:7f:39:17:e9:00:6f:62:15:50:8a:cd:04:a1:ad:
54:ca:fa:58:e5:d1:50:46:a8:df:4c:29:ea:22:83:
aa:10:d9:d1:c7:d7:ad:06:10:db:00:71:ac:fc:fe:
db:ee:6b:c7:94:9d:b5:6a:e6:b4:4a:ce:56:16:ca:
03:c0:99:4e:a9:4e:90:62:61:88:3b:6a:38:22:26:
7f:99:e2:c2:9f:14:94:38:02:48:e2:ec:d8:95:91:
72:3e:6a:d3:ed:e1:9c:31:58:38:e8:28:5f:5d:24:
89:38:43:13:4a:95:31:86:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AE:C7:10:89:AE:81:D2:1B:86:06:B1:03:E6:E0:83:D9:9C:6C:40:A6
X509v3 Authority Key Identifier:
keyid:18:DE:C7:F0:44:60:79:9D:B4:37:DC:EC:2D:74:54:9F:32:96:44:B8
Signature Algorithm: sha1WithRSAEncryption
26:f9:b0:bf:4d:37:5b:4e:a8:74:c1:75:d5:6d:4b:f1:96:b8:
cb:4e:c6:e6:7b:0c:8a:e7:da:3d:fb:ec:2e:52:1f:09:5f:87:
64:9f:c6:d6:46:84:44:90:1a:cf:f8:13:de:6f:e3:7e:ac:00:
8e:9e:55:a2:e2:a8:7b:44:34:ab:61:e2:85:43:b8:37:77:a7:
f0:ed:97:34:79:e1:a8:70:3d:06:f9:45:19:4c:1e:ad:e2:4f:
b9:e6:8c:f9:7b:65:ff:fa:96:e8:c8:aa:26:5e:59:c8:31:74:
ea:72:a4:6d:50:e5:30:53:13:c5:2f:be:4d:48:be:27:2d:ed:
cf:ef:25:14:ee:2d:bc:e2:3a:d6:17:4b:bc:dc:f9:1a:b2:ff:
2c:17:6b:ef:e4:d1:a5:78:b7:4c:b0:9d:a8:2c:2e:c8:eb:6f:
f2:a1:d1:e7:e4:ca:5b:de:3a:4f:f0:a0:01:1b:c9:6e:82:42:
cd:80:a2:ec:10:aa:4c:48:19:fd:29:6f:9f:72:04:75:12:67:
93:be:fd:97:b0:24:06:50:ed:3e:7e:ce:a2:da:e6:be:ea:e0:
f6:62:eb:2e:e2:a5:28:a5:7f:fe:70:e8:15:58:00:02:d9:4b:
bf:c6:2a:62:08:1e:2c:64:61:30:ca:fa:4e:d9:28:22:10:eb:
4a:6c:d5:2b
-----BEGIN CERTIFICATE-----
MIIDgTCCAmmgAwIBAgIBATANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEQMA4G
A1UEChMHT3BlbiBDQTEQMA4GA1UECxMHT3BlbiBDQTETMBEGA1UEAxMKTXkgUm9v
dCBDQTAeFw0wODAzMDYyMzQ2MzJaFw0wOTAzMDYyMzQ2MzJaMIGbMQswCQYDVQQG
EwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55dmFsZTERMA8GA1UEChMI
VGVzdCBJbmMxGDAWBgNVBAsTD1Rlc3QgRGVwYXJ0bWVudDEVMBMGA1UEAxMMTXlU
ZXN0U2VydmVyMScwJQYJKoZIhvcNAQkBFhhNeVRlc3RTZXJ2ZXJAdGVzdGluYy5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANcdWiwOY8U8GpS/24SQAH85
F+kAb2IVUIrNBKGtVMr6WOXRUEao30wp6iKDqhDZ0cfXrQYQ2wBxrPz+2+5rx5Sd
tWrmtErOVhbKA8CZTqlOkGJhiDtqOCImf5niwp8UlDgCSOLs2JWRcj5q0+3hnDFY
OOgoX10kiThDE0qVMYYJAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN
BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSuxxCJ
roHSG4YGsQPm4IPZnGxApjAfBgNVHSMEGDAWgBQY3sfwRGB5nbQ33OwtdFSfMpZE
uDANBgkqhkiG9w0BAQUFAAOCAQEAJvmwv003W06odMF11W1L8Za4y07G5nsMiufa
PfvsLlIfCV+HZJ/G1kaERJAaz/gT3m/jfqwAjp5VouKoe0Q0q2HihUO4N3en8O2X
NHnhqHA9BvlFGUwereJPueaM+Xtl//qW6MiqJl5ZyDF06nKkbVDlMFMTxS++TUi+
Jy3tz+8lFO4tvOI61hdLvNz5GrL/LBdr7+TRpXi3TLCdqCwuyOtv8qHR5+TKW946
T/CgARvJboJCzYCi7BCqTEgZ/Slvn3IEdRJnk779l7AkBlDtPn7Ootrmvurg9mLr
LuKlKKV//nDoFVgAAtlLv8YqYggeLGRhMMr6TtkoIhDrSmzVKw==
-----END CERTIFICATE-----
Obviously, you can strip the extra text by just keeping the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- before sending it back to your client as response.
CA: Trim a certificate
C:\OpenSSL\myCA>openssl x509 -in certnew.pem -out certnew.cer
References: