diff --git a/.gitignore b/.gitignore index b306dc1..01402bb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,7 @@ -testca/* -server/* -client/* -result/* +testca/ +server/ +client/ +result/ *.cer *.pem *.old diff --git a/basic/Makefile b/basic/Makefile index 23f8a8f..1b9693d 100644 --- a/basic/Makefile +++ b/basic/Makefile @@ -1 +1,11 @@ include ../common.mk + +gen-crl: + $(OPENSSL) ca -config openssl.cnf -gencrl -keyfile $(CURDIR)/testca/private/cakey.pem -cert $(CURDIR)/testca/cacert.pem -out $(CURDIR)/result/basic.crl.pem + $(OPENSSL) crl -inform PEM -in $(CURDIR)/result/basic.crl.pem -outform DER -out $(CURDIR)/result/basic.crl + +server: + openssl s_server -cert $(CURDIR)/result/server_$(CN)_certificate.pem -key $(CURDIR)/result/server_$(CN)_key.pem -CAfile $(CURDIR)/result/ca_certificate.pem + +client: + openssl s_client -cert $(CURDIR)/result/client_$(CN)_certificate.pem -key $(CURDIR)/result/client_$(CN)_key.pem -CAfile $(CURDIR)/result/ca_certificate.pem -verify 8 -verify_hostname $(CN) diff --git a/basic/README.md b/basic/README.md index 46f0a1c..d37e6b6 100644 --- a/basic/README.md +++ b/basic/README.md @@ -77,3 +77,24 @@ make info ``` This assumes the certificates were previously generated. + +## CRL + +The Root CA creates certificates whose CRL distribution point is `http://localhost:8000/basic.crl`. To make this CRL available, Python 3 can be used: + +``` +cd result +python -m http.server +``` + +If you need to test revoking a certificate do the following from the `basic` directory: + +``` +openssl ca -config openssl.cnf -revoke ./result/server_MY-CN_certificate.pem -keyfile ./testca/private/cakey.pem -cert ./testca/cacert.pem +``` + +Then regenerate the CRL file: + +``` +make gen-crl +``` diff --git a/basic/openssl.cnf b/basic/openssl.cnf index c509112..345470d 100644 --- a/basic/openssl.cnf +++ b/basic/openssl.cnf @@ -48,26 +48,26 @@ x509_extensions = root_ca_extensions commonName = hostname [ root_ca_extensions ] -basicConstraints = CA:true -keyUsage = keyCertSign, cRLSign -subjectKeyIdentifier = hash +basicConstraints = critical,CA:true +keyUsage = keyCertSign, cRLSign +subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical,CA:true - [ client_extensions ] -basicConstraints = CA:false -keyUsage = digitalSignature,keyEncipherment -extendedKeyUsage = clientAuth -subjectAltName = @client_alt_names +basicConstraints = CA:false +keyUsage = digitalSignature,keyEncipherment +extendedKeyUsage = clientAuth +subjectAltName = @client_alt_names +crlDistributionPoints = URI:http://localhost:8000/basic.crl [ server_extensions ] -basicConstraints = CA:false -keyUsage = digitalSignature,keyEncipherment -extendedKeyUsage = serverAuth -subjectAltName = @server_alt_names -subjectKeyIdentifier = hash +basicConstraints = CA:false +keyUsage = digitalSignature,keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @server_alt_names +subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer +crlDistributionPoints = URI:http://localhost:8000/basic.crl [ client_alt_names ] DNS.1 = $common_name