 |  |  |  |  |
| | | | |
 |  |
This section describes how to use an OpenSSL CA to generate a certificate revocation list (CRL). A CRL is a list of X.509 certificates that are no longer considered to be valid. You can deploy a CRL file to a secure application, so that the application automatically rejects certificates that appear in the list.
For details about how to deploy a CRL file, see Specifying a Certificate Revocation List.
In order to generate a certificate revocation list, it is not sufficient simply to assemble a list of certificates that you would like to revoke. The CA, just as it is responsible for creating and signing certificates, is also responsible for revoking certificates. When you decide to revoke a certificate, you must inform the CA, which records this fact in its database.
After revoking certificates, you can ask the CA to generate a signed certificate revocation list.
To generate a certificate revocation list, perform the following steps:
On the secure CA host, add the OpenSSL bin directory to your path:
Windows
> set PATH=OpenSSLDir\bin;%PATH%UNIX
% PATH=OpenSSLDir/bin:$PATH; export PATHThis step makes the openssl utility available from the command
line.
To add a certificate, CertName.pem, to the
revocation list, enter the following command:
openssl ca -configX509CA/openssl.cnf -revokeX509CA/certs/CertName.pem
The command prompts you for the CA pass phrase and then revokes the certificate:
Using configuration from openssl.cnf Loading 'screen' into random state - done Enter pass phrase for C:/temp/artix_40/X509CA/ca/new_ca_pk.pem: DEBUG[load_index]: unique_subject = "yes" Adding Entry with serial number 02 to DB for /C=IE/ST=Dublin/O=IONA/CN=bad_guy Revoking Certificate 02. Data Base Updated
Repeat this step as many times as necessary to add certificates to the CA’s revocation list.
![[Note]](imagesdb/note.gif) | Note |
|---|---|
If you get the following error while attempting to revoke a certificate: unable to rename C:/temp/artix_40/X509CA/index.txt to C:/temp/artix_40/X509CA/index.txt.old reason: File exists Simply delete |
To generate a PEM file, crl.pem, containing the CA’s complete
certificate revocation list, enter the following command:
openssl ca -config X509CA/openssl.cnf -gencrl -out crl/crl.pemThe command prompts you for the CA pass phrase and then generates the
crl.pem file:
Using configuration from openssl.cnf Loading 'screen' into random state - done Enter pass phrase for C:/temp/artix_40/X509CA/ca/new_ca_pk.pem: DEBUG[load_index]: unique_subject = "yes"
Check the contents of the CRL file by converting it to plain text format, using the following command:
openssl crl -in crl/crl.pem -text
For a single revoked certificate with serial number 02 (that is, the second certificate in the OpenSSL CA’s database), the output of this command would look something like the following:
Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=IE/ST=Dublin/O=IONA/CN=CA_for_CRL Last Update: Feb 15 10:47:40 2006 GMT Next Update: Mar 15 10:47:40 2006 GMT Revoked Certificates: Serial Number: 02 Revocation Date: Feb 15 10:45:05 2006 GMT Signature Algorithm: md5WithRSAEncryption 69:3e:55:8a:20:a0:57:d2:36:79:f0:34:bb:73:65:1e:1c:a9: 40:35:8d:c4:e6:b9:77:fd:2b:1f:a8:26:0c:7a:fb:30:67:7f: 6a:13:74:58:b9:e2:88:e7:ad:c5:d2:62:48:6b:1e:f6:10:0d: 45:cc:11:cb:6b:48:28:e2:78:ad:f0:cf:fd:d6:57:78:f2:aa: 19:8b:bc:62:79:9b:90:f7:18:ba:96:dc:7b:a5:b4:d5:bf:0f: e8:5e:71:89:4b:38:8c:f8:75:17:dd:ba:74:f1:01:e0:48:d0: e4:f4:dd:ea:47:32:8b:70:5e:1d:9a:4a:88:41:ba:bf:b2:39: ce:32 -----BEGIN X509 CRL----- MIIBHTCBhzANBgkqhkiG9w0BAQQFADBCMQswCQYDVQQGEwJJRTEPMA0GA1UECBMG RHVibGluMQ0wCwYDVQQKEwRJT05BMRMwEQYDVQQDFApDQV9mb3JfQ1JMFw0wNjAy MTUxMDQ3NDBaFw0wNjAzMTUxMDQ3NDBaMBQwEgIBAhcNMDYwMjE1MTA0NTA1WjAN BgkqhkiG9w0BAQQFAAOBgQBpPlWKIKBX0jZ58DS7c2UeHKlANY3E5rl3/SsfqCYM evswZ39qE3RYueKI563F0mJIax72EA1FzBHLa0go4nit8M/91ld48qoZi7xieZuQ 9xi6ltx7pbTVvw/oXnGJSziM+HUX3bp08QHgSNDk9N3qRzKLcF4dmkqIQbq/sjnO Mg== -----END X509 CRL-----
| |  | |
 |