Library
Link ToToggle FramesPrintFeedback

Generating a Certificate Revocation List

This section describes how to use an OpenSSL CA to generate a certificate revocation list (CRL). A CRL is a list of X.509 certificates that are no longer considered to be valid. You can deploy a CRL file to a secure application, so that the application automatically rejects certificates that appear in the list.

For details about how to deploy a CRL file, see Specifying a Certificate Revocation List.

In order to generate a certificate revocation list, it is not sufficient simply to assemble a list of certificates that you would like to revoke. The CA, just as it is responsible for creating and signing certificates, is also responsible for revoking certificates. When you decide to revoke a certificate, you must inform the CA, which records this fact in its database.

After revoking certificates, you can ask the CA to generate a signed certificate revocation list.

To generate a certificate revocation list, perform the following steps:

On the secure CA host, add the OpenSSL bin directory to your path:

Windows

> set PATH=OpenSSLDir\bin;%PATH%

UNIX

% PATH=OpenSSLDir/bin:$PATH; export PATH

This step makes the openssl utility available from the command line.

To add a certificate, CertName.pem, to the revocation list, enter the following command:

openssl ca -config X509CA/openssl.cnf -revoke X509CA/certs/CertName.pem

The command prompts you for the CA pass phrase and then revokes the certificate:

Using configuration from openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for C:/temp/artix_40/X509CA/ca/new_ca_pk.pem:
DEBUG[load_index]: unique_subject = "yes"
Adding Entry with serial number 02 to DB for /C=IE/ST=Dublin/O=IONA/CN=bad_guy
Revoking Certificate 02.
Data Base Updated

Repeat this step as many times as necessary to add certificates to the CA’s revocation list.

[Note]Note

If you get the following error while attempting to revoke a certificate:

unable to rename C:/temp/artix_40/X509CA/index.txt to C:/temp/artix_40/X509CA/index.txt.old

reason: File exists

Simply delete index.txt.old and then try the command again.

To generate a PEM file, crl.pem, containing the CA’s complete certificate revocation list, enter the following command:

openssl ca -config X509CA/openssl.cnf -gencrl -out crl/crl.pem

The command prompts you for the CA pass phrase and then generates the crl.pem file:

Using configuration from openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for C:/temp/artix_40/X509CA/ca/new_ca_pk.pem:
DEBUG[load_index]: unique_subject = "yes"

Check the contents of the CRL file by converting it to plain text format, using the following command:

openssl crl -in crl/crl.pem -text

For a single revoked certificate with serial number 02 (that is, the second certificate in the OpenSSL CA’s database), the output of this command would look something like the following:

Certificate Revocation List (CRL):
 Version 1 (0x0)
 Signature Algorithm: md5WithRSAEncryption
 Issuer: /C=IE/ST=Dublin/O=IONA/CN=CA_for_CRL
 Last Update: Feb 15 10:47:40 2006 GMT
 Next Update: Mar 15 10:47:40 2006 GMT
Revoked Certificates:
 Serial Number: 02
 Revocation Date: Feb 15 10:45:05 2006 GMT
 Signature Algorithm: md5WithRSAEncryption
 69:3e:55:8a:20:a0:57:d2:36:79:f0:34:bb:73:65:1e:1c:a9:
 40:35:8d:c4:e6:b9:77:fd:2b:1f:a8:26:0c:7a:fb:30:67:7f:
 6a:13:74:58:b9:e2:88:e7:ad:c5:d2:62:48:6b:1e:f6:10:0d:
 45:cc:11:cb:6b:48:28:e2:78:ad:f0:cf:fd:d6:57:78:f2:aa:
 19:8b:bc:62:79:9b:90:f7:18:ba:96:dc:7b:a5:b4:d5:bf:0f:
 e8:5e:71:89:4b:38:8c:f8:75:17:dd:ba:74:f1:01:e0:48:d0:
 e4:f4:dd:ea:47:32:8b:70:5e:1d:9a:4a:88:41:ba:bf:b2:39:
 ce:32
-----BEGIN X509 CRL-----
MIIBHTCBhzANBgkqhkiG9w0BAQQFADBCMQswCQYDVQQGEwJJRTEPMA0GA1UECBMG
RHVibGluMQ0wCwYDVQQKEwRJT05BMRMwEQYDVQQDFApDQV9mb3JfQ1JMFw0wNjAy
MTUxMDQ3NDBaFw0wNjAzMTUxMDQ3NDBaMBQwEgIBAhcNMDYwMjE1MTA0NTA1WjAN
BgkqhkiG9w0BAQQFAAOBgQBpPlWKIKBX0jZ58DS7c2UeHKlANY3E5rl3/SsfqCYM
evswZ39qE3RYueKI563F0mJIax72EA1FzBHLa0go4nit8M/91ld48qoZi7xieZuQ
9xi6ltx7pbTVvw/oXnGJSziM+HUX3bp08QHgSNDk9N3qRzKLcF4dmkqIQbq/sjnO
Mg==
-----END X509 CRL-----