Today's Question:  What's your opinion about Alibaba mooncake incident?        GIVE A SHOUT

Technical Article => Security =>  Server Security

Generate certificate with cRLDistributionPoints extension using OpenSSL

  Pi Ke      2015-10-22 03:41:11      5,952    0    0

In an X509 certificate, the cRLDistributionPoints extension provides a mechanism for the certificate validator to retrieve a CRL(Certificate Revocation List) which can be used to verify whether the given certificate is revoked.  

A cRLDistributionPoints extension can contain one or more DistributionPoints where the CRL can be retrieved from. Each DistributionPoint consists of three fields,each of which is optional:

  • distributionPoint : it contains either a SEQUENCE of general names or a single value. One distributionPoint can contain one or more general names which show where the CRL is stored
  • reasons,: 
  • cRLIssuer : It identifies the entity who signs and issues the CRL

In this post, we will cover only the case where only distributionPoint is set. OpenSSL is used here to demonstrate how to generate certificate with cRLDistributionPoints extension. But before that, we first need to generate normal keys and certificates so that they can be used later.

#Create private key
openssl genrsa -des3 -out ca.key 2048

#Create cert signing request for the private key
openssl req -new -key ca.key -out ca.csr

#Generate self signed cert
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt -extensions v3_req

#Create leaf private key
openssl genrsa -des3 -out leaf.key 2048

#Create cert signing request for the private key
openssl req -new -key leaf.key -out leaf.csr

Here ca.key and ca.crt will be used to sign the leaf.csr. leaf.csr is the certificate signing request.

Multiple distributionPoints

First, let's show how to generate certificate with multiple distriutionPoints in the cRLDistributionPoints extension. We need to create an extension config file which contains the distributionPoints we want to set. For example :

crlDistributionPoints=@crl_section

[crl_section]
URI.1 = ldap://www.example.com/ldap?DN=TEST
URI.2 = http://www.example.com/crl/test.crl

Next save this as ext.cnf and run following command:

#Sign the leaf.csr using ca.crt
openssl x509 -req -in leaf.csr -out leaf.crt -days 365 -CAcreateserial -CA ca.crt -CAkey ca.key -CAserial serial -extfile ext.cnf

After this, a file with name leaf.crt should be created. Now we print the contents of the leaf.crt:

openssl x509 -text -noout -in leaf.crt

The output will look like:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8d:16:37:a4:2b:b1:dc:ca
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=SG, ST=SG, L=SG, O=CA, OU=CA, CN=CA/emailAddress=CA
        Validity
            Not Before: Oct 22 08:05:58 2015 GMT
            Not After : Oct 21 08:05:58 2016 GMT
        Subject: C=SG, ST=SG, L=SG, O=LEAF, OU=LEAF, CN=LEAF/emailAddress=LEAF
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b3:95:12:10:03:74:28:e2:58:94:a1:b8:e8:eb:
                    4a:24:f7:26:b1:ce:97:98:38:93:43:27:b4:c8:c5:
                    2d:e6:b2:01:b4:19:01:95:ae:70:49:00:0d:a7:dc:
                    20:d0:82:1f:48:b7:c4:4b:46:de:ef:5a:05:b1:f0:
                    3c:5f:4d:2c:f6:65:0c:1b:b8:62:d7:f8:1f:55:83:
                    1e:40:46:7f:4c:de:a0:02:dc:02:31:0c:0d:5a:2c:
                    4f:d4:39:6a:23:da:23:10:e5:c5:1b:9d:3c:2f:73:
                    fa:14:50:2a:36:06:59:37:95:62:73:27:94:dd:f8:
                    02:dd:12:63:f0:41:34:15:3f:8a:95:36:b0:b9:d0:
                    cb:a0:16:dc:a9:44:4e:5e:b9:20:fb:b0:e6:35:01:
                    29:7f:df:c7:e9:1e:23:b9:2c:c4:15:ce:b6:17:7f:
                    0d:3f:4c:b0:48:dd:cf:c2:76:88:bc:a2:49:d7:34:
                    57:ba:5a:98:56:f8:b6:f2:6d:24:03:b1:62:ef:e4:
                    50:ba:af:dc:dd:7c:0d:99:7c:4d:f0:23:f9:60:9b:
                    f1:b0:03:02:97:6a:5b:f2:cb:45:8a:74:21:36:fe:
                    b0:ae:50:8a:37:b2:1b:ed:02:ee:8d:f9:89:d4:e7:
                    93:26:c1:40:76:5d:b5:f5:ee:a9:f6:7d:1e:8f:09:
                    18:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:ldap://www.example.com/ldap?DN=TEST

                Full Name:
                  URI:http://www.example.com/crl/test.crl

    Signature Algorithm: sha256WithRSAEncryption
         6e:93:19:8c:12:ac:3f:0c:e8:fa:52:2f:64:66:cc:9b:dc:f0:
         52:45:ab:ec:23:8a:45:20:df:ed:2d:e0:07:a2:43:46:c1:77:
         da:7f:8a:9c:a0:dc:91:d2:bf:f3:90:5c:5f:0b:4c:1f:8c:59:
         42:78:fa:47:72:68:c3:00:e8:d4:98:b0:da:08:bf:ee:c8:54:
         07:dd:87:ae:5a:75:2d:86:46:e5:78:44:76:63:50:20:16:f8:
         5e:8d:8b:71:64:09:3c:96:44:35:a4:3c:50:1e:44:d9:34:3a:
         0a:d6:24:15:b4:27:0e:20:51:5c:61:25:f4:a0:88:b5:dc:32:
         38:af:84:6a:c9:e3:84:75:64:a5:a1:f6:cc:83:15:9f:02:b6:
         c8:19:d8:dd:64:24:cc:04:08:32:e2:f8:ec:75:4f:c2:23:31:
         4b:c6:f7:8b:ca:ff:d2:98:a1:ed:22:78:0f:fa:57:10:19:3e:
         61:36:96:2f:b3:32:72:a7:2d:cb:a4:5f:30:05:42:28:6c:a3:
         e4:ce:58:58:b7:99:90:95:3c:26:59:58:ab:27:8c:09:eb:81:
         68:14:f7:07:60:b9:9d:fe:81:ba:18:da:31:51:36:53:7b:7f:
         ce:45:c7:a6:88:9c:bb:9d:95:06:a9:a9:6c:c4:6e:a2:58:a6:
         f4:3c:c2:75

Note, you will see below in the certificate:

X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
    URI:ldap://www.example.com/ldap?DN=TEST
Full Name:
    URI:http://www.example.com/crl/test.crl

This indicates there are two distributionPoints.

One distributionPoint with multiple general names

Next, we will show how to generate certificate with one distributionPoint but multiple general names. Again, an extension config file is needed.

crlDistributionPoints=crl_section

[crl_section]
fullname = @url_section

[url_section]
URI.1=ldap://www.example.com/ldap?DN=TEST
URI.2=http://www.example.com/crl/test.crl

Save it as ext.cnf and run the same command as above.

#Sign the leaf.csr using ca.crt
openssl x509 -req -in leaf.csr -out leaf.crt -days 365 -CAcreateserial -CA ca.crt -CAkey ca.key -CAserial serial -extfile ext.cnf

Now display the contents of the leaf.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8d:16:37:a4:2b:b1:dc:cb
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=SG, ST=SG, L=SG, O=CA, OU=CA, CN=CA/emailAddress=CA
        Validity
            Not Before: Oct 22 08:15:32 2015 GMT
            Not After : Oct 21 08:15:32 2016 GMT
        Subject: C=SG, ST=SG, L=SG, O=LEAF, OU=LEAF, CN=LEAF/emailAddress=LEAF
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b3:95:12:10:03:74:28:e2:58:94:a1:b8:e8:eb:
                    4a:24:f7:26:b1:ce:97:98:38:93:43:27:b4:c8:c5:
                    2d:e6:b2:01:b4:19:01:95:ae:70:49:00:0d:a7:dc:
                    20:d0:82:1f:48:b7:c4:4b:46:de:ef:5a:05:b1:f0:
                    3c:5f:4d:2c:f6:65:0c:1b:b8:62:d7:f8:1f:55:83:
                    1e:40:46:7f:4c:de:a0:02:dc:02:31:0c:0d:5a:2c:
                    4f:d4:39:6a:23:da:23:10:e5:c5:1b:9d:3c:2f:73:
                    fa:14:50:2a:36:06:59:37:95:62:73:27:94:dd:f8:
                    02:dd:12:63:f0:41:34:15:3f:8a:95:36:b0:b9:d0:
                    cb:a0:16:dc:a9:44:4e:5e:b9:20:fb:b0:e6:35:01:
                    29:7f:df:c7:e9:1e:23:b9:2c:c4:15:ce:b6:17:7f:
                    0d:3f:4c:b0:48:dd:cf:c2:76:88:bc:a2:49:d7:34:
                    57:ba:5a:98:56:f8:b6:f2:6d:24:03:b1:62:ef:e4:
                    50:ba:af:dc:dd:7c:0d:99:7c:4d:f0:23:f9:60:9b:
                    f1:b0:03:02:97:6a:5b:f2:cb:45:8a:74:21:36:fe:
                    b0:ae:50:8a:37:b2:1b:ed:02:ee:8d:f9:89:d4:e7:
                    93:26:c1:40:76:5d:b5:f5:ee:a9:f6:7d:1e:8f:09:
                    18:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:ldap://www.example.com/ldap?DN=TEST
                  URI:http://www.example.com/crl/test.crl

    Signature Algorithm: sha256WithRSAEncryption
         2b:29:84:8a:14:cd:de:11:ee:cf:30:f8:3e:e2:a6:52:08:a2:
         44:4a:fa:0e:23:cd:9d:37:64:ea:76:40:bf:15:8b:67:5a:8e:
         74:f0:62:9d:71:c1:0e:ed:12:97:ea:5d:29:80:ec:fc:52:cd:
         88:49:dc:c0:e5:1b:16:48:ca:67:92:74:c5:31:80:79:a2:39:
         13:26:fd:37:ad:78:af:aa:ea:13:51:c6:a6:51:3d:df:9b:c8:
         b3:01:bf:d3:e2:60:ac:88:76:01:fa:75:39:6e:b3:a7:89:e3:
         a1:c6:ad:87:e8:f2:a9:99:d5:48:5e:74:f7:b6:0f:b1:42:62:
         ff:72:3c:78:f5:92:e8:0c:b5:af:4e:90:a7:43:7b:01:7b:f3:
         fa:34:a1:01:4d:67:96:63:76:11:64:cd:ad:bc:f8:00:74:07:
         cc:8e:2e:a0:9c:78:6c:2a:00:b8:a5:ae:c3:9e:c8:63:e5:84:
         5a:60:74:3e:4b:dd:cf:5e:60:f4:60:73:58:1f:04:fe:d0:4d:
         ba:f8:2e:a3:d8:c6:f7:a9:d9:58:51:f7:e1:4b:6c:f5:11:28:
         d2:61:45:b6:a6:ba:00:51:55:70:94:32:be:ea:a0:e2:34:72:
         ec:d1:d0:27:7a:90:17:4b:b1:be:03:08:40:9f:2b:f0:f4:6b:
         ee:bf:6a:9d

This time you will see the cRLDistributionPoints extension:

X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
    URI:ldap://www.example.com/ldap?DN=TEST
    URI:http://www.example.com/crl/test.crl

This indicates there is only one distributionPoint but with two general names which points to the same CRL resource.

Also, you can combine above two steps to create a certificate with multiple distributionPoints and multiple general names.

In the future, we will cover how to generate certificate with reasons and cRLIssuer set in the CRLDistributionPoints extension.

EXTENSION OPENSSL CERTIFICATE X509 CRLDISTRIBUTIONPOINT

  SAVE AS PDF   MARK AS READ   MARK AS IMPORTANT

  RELATED


  0 COMMENT


No comment for this article.


  WRITE ARTICLE

Hey, you!

By sonic0002