In an X509 certificate, the cRLDistributionPoints extension provides a mechanism for the certificate validator to retrieve a CRL(Certificate Revocation List) which can be used to verify whether the given certificate is revoked.
A cRLDistributionPoints extension can contain one or more DistributionPoints where the CRL can be retrieved from. Each DistributionPoint consists of three fields,each of which is optional:
- distributionPoint : it contains either a SEQUENCE of general names or a single value. One distributionPoint can contain one or more general names which show where the CRL is stored
- reasons,:
- cRLIssuer : It identifies the entity who signs and issues the CRL
In this post, we will cover only the case where only distributionPoint is set. OpenSSL is used here to demonstrate how to generate certificate with cRLDistributionPoints extension. But before that, we first need to generate normal keys and certificates so that they can be used later.
#Create private key openssl genrsa -des3 -out ca.key 2048 #Create cert signing request for the private key openssl req -new -key ca.key -out ca.csr #Generate self signed cert openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt -extensions v3_req #Create leaf private key openssl genrsa -des3 -out leaf.key 2048 #Create cert signing request for the private key openssl req -new -key leaf.key -out leaf.csr
Here ca.key and ca.crt will be used to sign the leaf.csr. leaf.csr is the certificate signing request.
Multiple distributionPoints
First, let's show how to generate certificate with multiple distriutionPoints in the cRLDistributionPoints extension. We need to create an extension config file which contains the distributionPoints we want to set. For example :
crlDistributionPoints=@crl_section [crl_section] URI.1 = ldap://www.example.com/ldap?DN=TEST URI.2 = http://www.example.com/crl/test.crl
Next save this as ext.cnf and run following command:
#Sign the leaf.csr using ca.crt openssl x509 -req -in leaf.csr -out leaf.crt -days 365 -CAcreateserial -CA ca.crt -CAkey ca.key -CAserial serial -extfile ext.cnf
After this, a file with name leaf.crt should be created. Now we print the contents of the leaf.crt:
openssl x509 -text -noout -in leaf.crt
The output will look like:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:16:37:a4:2b:b1:dc:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SG, ST=SG, L=SG, O=CA, OU=CA, CN=CA/emailAddress=CA
Validity
Not Before: Oct 22 08:05:58 2015 GMT
Not After : Oct 21 08:05:58 2016 GMT
Subject: C=SG, ST=SG, L=SG, O=LEAF, OU=LEAF, CN=LEAF/emailAddress=LEAF
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:95:12:10:03:74:28:e2:58:94:a1:b8:e8:eb:
4a:24:f7:26:b1:ce:97:98:38:93:43:27:b4:c8:c5:
2d:e6:b2:01:b4:19:01:95:ae:70:49:00:0d:a7:dc:
20:d0:82:1f:48:b7:c4:4b:46:de:ef:5a:05:b1:f0:
3c:5f:4d:2c:f6:65:0c:1b:b8:62:d7:f8:1f:55:83:
1e:40:46:7f:4c:de:a0:02:dc:02:31:0c:0d:5a:2c:
4f:d4:39:6a:23:da:23:10:e5:c5:1b:9d:3c:2f:73:
fa:14:50:2a:36:06:59:37:95:62:73:27:94:dd:f8:
02:dd:12:63:f0:41:34:15:3f:8a:95:36:b0:b9:d0:
cb:a0:16:dc:a9:44:4e:5e:b9:20:fb:b0:e6:35:01:
29:7f:df:c7:e9:1e:23:b9:2c:c4:15:ce:b6:17:7f:
0d:3f:4c:b0:48:dd:cf:c2:76:88:bc:a2:49:d7:34:
57:ba:5a:98:56:f8:b6:f2:6d:24:03:b1:62:ef:e4:
50:ba:af:dc:dd:7c:0d:99:7c:4d:f0:23:f9:60:9b:
f1:b0:03:02:97:6a:5b:f2:cb:45:8a:74:21:36:fe:
b0:ae:50:8a:37:b2:1b:ed:02:ee:8d:f9:89:d4:e7:
93:26:c1:40:76:5d:b5:f5:ee:a9:f6:7d:1e:8f:09:
18:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
Full Name:
URI:http://www.example.com/crl/test.crl
Signature Algorithm: sha256WithRSAEncryption
6e:93:19:8c:12:ac:3f:0c:e8:fa:52:2f:64:66:cc:9b:dc:f0:
52:45:ab:ec:23:8a:45:20:df:ed:2d:e0:07:a2:43:46:c1:77:
da:7f:8a:9c:a0:dc:91:d2:bf:f3:90:5c:5f:0b:4c:1f:8c:59:
42:78:fa:47:72:68:c3:00:e8:d4:98:b0:da:08:bf:ee:c8:54:
07:dd:87:ae:5a:75:2d:86:46:e5:78:44:76:63:50:20:16:f8:
5e:8d:8b:71:64:09:3c:96:44:35:a4:3c:50:1e:44:d9:34:3a:
0a:d6:24:15:b4:27:0e:20:51:5c:61:25:f4:a0:88:b5:dc:32:
38:af:84:6a:c9:e3:84:75:64:a5:a1:f6:cc:83:15:9f:02:b6:
c8:19:d8:dd:64:24:cc:04:08:32:e2:f8:ec:75:4f:c2:23:31:
4b:c6:f7:8b:ca:ff:d2:98:a1:ed:22:78:0f:fa:57:10:19:3e:
61:36:96:2f:b3:32:72:a7:2d:cb:a4:5f:30:05:42:28:6c:a3:
e4:ce:58:58:b7:99:90:95:3c:26:59:58:ab:27:8c:09:eb:81:
68:14:f7:07:60:b9:9d:fe:81:ba:18:da:31:51:36:53:7b:7f:
ce:45:c7:a6:88:9c:bb:9d:95:06:a9:a9:6c:c4:6e:a2:58:a6:
f4:3c:c2:75
Note, you will see below in the certificate:
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
Full Name:
URI:http://www.example.com/crl/test.crl
This indicates there are two distributionPoints.
One distributionPoint with multiple general names
Next, we will show how to generate certificate with one distributionPoint but multiple general names. Again, an extension config file is needed.
crlDistributionPoints=crl_section [crl_section] fullname = @url_section [url_section] URI.1=ldap://www.example.com/ldap?DN=TEST URI.2=http://www.example.com/crl/test.crl
Save it as ext.cnf and run the same command as above.
#Sign the leaf.csr using ca.crt openssl x509 -req -in leaf.csr -out leaf.crt -days 365 -CAcreateserial -CA ca.crt -CAkey ca.key -CAserial serial -extfile ext.cnf
Now display the contents of the leaf.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:16:37:a4:2b:b1:dc:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SG, ST=SG, L=SG, O=CA, OU=CA, CN=CA/emailAddress=CA
Validity
Not Before: Oct 22 08:15:32 2015 GMT
Not After : Oct 21 08:15:32 2016 GMT
Subject: C=SG, ST=SG, L=SG, O=LEAF, OU=LEAF, CN=LEAF/emailAddress=LEAF
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:95:12:10:03:74:28:e2:58:94:a1:b8:e8:eb:
4a:24:f7:26:b1:ce:97:98:38:93:43:27:b4:c8:c5:
2d:e6:b2:01:b4:19:01:95:ae:70:49:00:0d:a7:dc:
20:d0:82:1f:48:b7:c4:4b:46:de:ef:5a:05:b1:f0:
3c:5f:4d:2c:f6:65:0c:1b:b8:62:d7:f8:1f:55:83:
1e:40:46:7f:4c:de:a0:02:dc:02:31:0c:0d:5a:2c:
4f:d4:39:6a:23:da:23:10:e5:c5:1b:9d:3c:2f:73:
fa:14:50:2a:36:06:59:37:95:62:73:27:94:dd:f8:
02:dd:12:63:f0:41:34:15:3f:8a:95:36:b0:b9:d0:
cb:a0:16:dc:a9:44:4e:5e:b9:20:fb:b0:e6:35:01:
29:7f:df:c7:e9:1e:23:b9:2c:c4:15:ce:b6:17:7f:
0d:3f:4c:b0:48:dd:cf:c2:76:88:bc:a2:49:d7:34:
57:ba:5a:98:56:f8:b6:f2:6d:24:03:b1:62:ef:e4:
50:ba:af:dc:dd:7c:0d:99:7c:4d:f0:23:f9:60:9b:
f1:b0:03:02:97:6a:5b:f2:cb:45:8a:74:21:36:fe:
b0:ae:50:8a:37:b2:1b:ed:02:ee:8d:f9:89:d4:e7:
93:26:c1:40:76:5d:b5:f5:ee:a9:f6:7d:1e:8f:09:
18:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
URI:http://www.example.com/crl/test.crl
Signature Algorithm: sha256WithRSAEncryption
2b:29:84:8a:14:cd:de:11:ee:cf:30:f8:3e:e2:a6:52:08:a2:
44:4a:fa:0e:23:cd:9d:37:64:ea:76:40:bf:15:8b:67:5a:8e:
74:f0:62:9d:71:c1:0e:ed:12:97:ea:5d:29:80:ec:fc:52:cd:
88:49:dc:c0:e5:1b:16:48:ca:67:92:74:c5:31:80:79:a2:39:
13:26:fd:37:ad:78:af:aa:ea:13:51:c6:a6:51:3d:df:9b:c8:
b3:01:bf:d3:e2:60:ac:88:76:01:fa:75:39:6e:b3:a7:89:e3:
a1:c6:ad:87:e8:f2:a9:99:d5:48:5e:74:f7:b6:0f:b1:42:62:
ff:72:3c:78:f5:92:e8:0c:b5:af:4e:90:a7:43:7b:01:7b:f3:
fa:34:a1:01:4d:67:96:63:76:11:64:cd:ad:bc:f8:00:74:07:
cc:8e:2e:a0:9c:78:6c:2a:00:b8:a5:ae:c3:9e:c8:63:e5:84:
5a:60:74:3e:4b:dd:cf:5e:60:f4:60:73:58:1f:04:fe:d0:4d:
ba:f8:2e:a3:d8:c6:f7:a9:d9:58:51:f7:e1:4b:6c:f5:11:28:
d2:61:45:b6:a6:ba:00:51:55:70:94:32:be:ea:a0:e2:34:72:
ec:d1:d0:27:7a:90:17:4b:b1:be:03:08:40:9f:2b:f0:f4:6b:
ee:bf:6a:9d
This time you will see the cRLDistributionPoints extension:
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
URI:http://www.example.com/crl/test.crl
This indicates there is only one distributionPoint but with two general names which points to the same CRL resource.
Also, you can combine above two steps to create a certificate with multiple distributionPoints and multiple general names.
In the future, we will cover how to generate certificate with reasons and cRLIssuer set in the CRLDistributionPoints extension.
