Merge pull request #42 from rabbitmq/lukebakken/gh-41

Add make target in basic profile to generate crl
rabbitmq · Apr 4, 2022 · 7fcafe1 · 7fcafe1
2 parents d3b13c0 + 5f3c541
commit 7fcafe1
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,7 @@
-testca/*
-server/*
-client/*
-result/*
+testca/
+server/
+client/
+result/
 *.cer
 *.pem
 *.old

diff --git a/basic/Makefile b/basic/Makefile
@@ -1 +1,11 @@
 include ../common.mk
+
+gen-crl:
+	$(OPENSSL) ca -config openssl.cnf -gencrl -keyfile $(CURDIR)/testca/private/cakey.pem -cert $(CURDIR)/testca/cacert.pem -out $(CURDIR)/result/basic.crl.pem
+	$(OPENSSL) crl -inform PEM -in $(CURDIR)/result/basic.crl.pem -outform DER -out $(CURDIR)/result/basic.crl
+
+server:
+	openssl s_server -cert $(CURDIR)/result/server_$(CN)_certificate.pem -key $(CURDIR)/result/server_$(CN)_key.pem -CAfile $(CURDIR)/result/ca_certificate.pem
+
+client:
+	openssl s_client -cert $(CURDIR)/result/client_$(CN)_certificate.pem  -key $(CURDIR)/result/client_$(CN)_key.pem -CAfile $(CURDIR)/result/ca_certificate.pem -verify 8 -verify_hostname $(CN)
diff --git a/basic/README.md b/basic/README.md
@@ -77,3 +77,24 @@ make info
 ```
 
 This assumes the certificates were previously generated.
+
+## CRL
+
+The Root CA creates certificates whose CRL distribution point is `http://localhost:8000/basic.crl`. To make this CRL available, Python 3 can be used:
+
+```
+cd result
+python -m http.server
+```
+
+If you need to test revoking a certificate do the following from the `basic` directory:
+
+```
+openssl ca -config openssl.cnf -revoke ./result/server_MY-CN_certificate.pem -keyfile ./testca/private/cakey.pem -cert ./testca/cacert.pem
+```
+
+Then regenerate the CRL file:
+
+```
+make gen-crl
+```
diff --git a/basic/openssl.cnf b/basic/openssl.cnf
@@ -48,26 +48,26 @@ x509_extensions    = root_ca_extensions
 commonName = hostname
 
 [ root_ca_extensions ]
-basicConstraints = CA:true
-keyUsage         = keyCertSign, cRLSign
-subjectKeyIdentifier = hash
+basicConstraints       = critical,CA:true
+keyUsage               = keyCertSign, cRLSign
+subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical,CA:true
-
 
 [ client_extensions ]
-basicConstraints = CA:false
-keyUsage         = digitalSignature,keyEncipherment
-extendedKeyUsage = clientAuth
-subjectAltName   = @client_alt_names
+basicConstraints       = CA:false
+keyUsage               = digitalSignature,keyEncipherment
+extendedKeyUsage       = clientAuth
+subjectAltName         = @client_alt_names
+crlDistributionPoints  = URI:http://localhost:8000/basic.crl
 
 [ server_extensions ]
-basicConstraints = CA:false
-keyUsage         = digitalSignature,keyEncipherment
-extendedKeyUsage = serverAuth
-subjectAltName   = @server_alt_names
-subjectKeyIdentifier = hash
+basicConstraints       = CA:false
+keyUsage               = digitalSignature,keyEncipherment
+extendedKeyUsage       = serverAuth
+subjectAltName         = @server_alt_names
+subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid,issuer
+crlDistributionPoints  = URI:http://localhost:8000/basic.crl
 
 [ client_alt_names ]
 DNS.1 = $common_name