From 5f3c541d8f9a8141a657d7d0578933a28a252f67 Mon Sep 17 00:00:00 2001
From: Luke Bakken <luke@bakken.io>
Date: Thu, 31 Mar 2022 15:38:09 -0700
Subject: [PATCH] Add make target in basic profile to generate crl

Fixes #41

Add targets to start s_server and s_client

Add CRL dist points to client cert
---
 .gitignore        |  8 ++++----
 basic/Makefile    | 10 ++++++++++
 basic/README.md   | 21 +++++++++++++++++++++
 basic/openssl.cnf | 28 ++++++++++++++--------------
 4 files changed, 49 insertions(+), 18 deletions(-)

diff --git a/.gitignore b/.gitignore
index b306dc1..01402bb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,7 @@
-testca/*
-server/*
-client/*
-result/*
+testca/
+server/
+client/
+result/
 *.cer
 *.pem
 *.old
diff --git a/basic/Makefile b/basic/Makefile
index 23f8a8f..1b9693d 100644
--- a/basic/Makefile
+++ b/basic/Makefile
@@ -1 +1,11 @@
 include ../common.mk
+
+gen-crl:
+	$(OPENSSL) ca -config openssl.cnf -gencrl -keyfile $(CURDIR)/testca/private/cakey.pem -cert $(CURDIR)/testca/cacert.pem -out $(CURDIR)/result/basic.crl.pem
+	$(OPENSSL) crl -inform PEM -in $(CURDIR)/result/basic.crl.pem -outform DER -out $(CURDIR)/result/basic.crl
+
+server:
+	openssl s_server -cert $(CURDIR)/result/server_$(CN)_certificate.pem -key $(CURDIR)/result/server_$(CN)_key.pem -CAfile $(CURDIR)/result/ca_certificate.pem
+
+client:
+	openssl s_client -cert $(CURDIR)/result/client_$(CN)_certificate.pem  -key $(CURDIR)/result/client_$(CN)_key.pem -CAfile $(CURDIR)/result/ca_certificate.pem -verify 8 -verify_hostname $(CN)
diff --git a/basic/README.md b/basic/README.md
index 46f0a1c..d37e6b6 100644
--- a/basic/README.md
+++ b/basic/README.md
@@ -77,3 +77,24 @@ make info
 ```
 
 This assumes the certificates were previously generated.
+
+## CRL
+
+The Root CA creates certificates whose CRL distribution point is `http://localhost:8000/basic.crl`. To make this CRL available, Python 3 can be used:
+
+```
+cd result
+python -m http.server
+```
+
+If you need to test revoking a certificate do the following from the `basic` directory:
+
+```
+openssl ca -config openssl.cnf -revoke ./result/server_MY-CN_certificate.pem -keyfile ./testca/private/cakey.pem -cert ./testca/cacert.pem
+```
+
+Then regenerate the CRL file:
+
+```
+make gen-crl
+```
diff --git a/basic/openssl.cnf b/basic/openssl.cnf
index c509112..345470d 100644
--- a/basic/openssl.cnf
+++ b/basic/openssl.cnf
@@ -48,26 +48,26 @@ x509_extensions    = root_ca_extensions
 commonName = hostname
 
 [ root_ca_extensions ]
-basicConstraints = CA:true
-keyUsage         = keyCertSign, cRLSign
-subjectKeyIdentifier = hash
+basicConstraints       = critical,CA:true
+keyUsage               = keyCertSign, cRLSign
+subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical,CA:true
-
 
 [ client_extensions ]
-basicConstraints = CA:false
-keyUsage         = digitalSignature,keyEncipherment
-extendedKeyUsage = clientAuth
-subjectAltName   = @client_alt_names
+basicConstraints       = CA:false
+keyUsage               = digitalSignature,keyEncipherment
+extendedKeyUsage       = clientAuth
+subjectAltName         = @client_alt_names
+crlDistributionPoints  = URI:http://localhost:8000/basic.crl
 
 [ server_extensions ]
-basicConstraints = CA:false
-keyUsage         = digitalSignature,keyEncipherment
-extendedKeyUsage = serverAuth
-subjectAltName   = @server_alt_names
-subjectKeyIdentifier = hash
+basicConstraints       = CA:false
+keyUsage               = digitalSignature,keyEncipherment
+extendedKeyUsage       = serverAuth
+subjectAltName         = @server_alt_names
+subjectKeyIdentifier   = hash
 authorityKeyIdentifier = keyid,issuer
+crlDistributionPoints  = URI:http://localhost:8000/basic.crl
 
 [ client_alt_names ]
 DNS.1 = $common_name