在 X509 证书中,cRLDistributionPoints 扩展提供了一种机制,使证书验证器可以检索 CRL(证书吊销列表),该列表可用于验证给定的证书是否已被吊销。
一个 cRLDistributionPoints 扩展可以包含一个或多个 DistributionPoints,可以从中检索 CRL。每个 DistributionPoint 由三个字段组成,每个字段都是可选的:
- distributionPoint:它包含一个通用名称的 SEQUENCE 或一个单一值。一个 distributionPoint 可以包含一个或多个通用名称,这些名称显示 CRL 的存储位置
- reasons:
- cRLIssuer:它标识签署和颁发 CRL 的实体
在这篇文章中,我们将只介绍仅设置 distributionPoint 的情况。这里使用 OpenSSL 来演示如何生成带有 cRLDistributionPoints 扩展的证书。但在此之前,我们首先需要生成普通的密钥和证书,以便稍后使用。
#创建私钥 openssl genrsa -des3 -out ca.key 2048 #为私钥创建证书签名请求 openssl req -new -key ca.key -out ca.csr #生成自签名证书 openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt -extensions v3_req #创建叶子私钥 openssl genrsa -des3 -out leaf.key 2048 #为私钥创建证书签名请求 openssl req -new -key leaf.key -out leaf.csr
这里 ca.key 和 ca.crt 将用于签署 leaf.csr。leaf.csr 是证书签名请求。
多个 distributionPoints
首先,让我们展示如何在 cRLDistributionPoints 扩展中生成具有多个 distributionPoints 的证书。我们需要创建一个扩展配置文件,其中包含我们要设置的 distributionPoints。例如:
crlDistributionPoints=@crl_section [crl_section] URI.1 = ldap://www.example.com/ldap?DN=TEST URI.2 = http://www.example.com/crl/test.crl
接下来将其另存为 ext.cnf 并运行以下命令:
#使用 ca.crt 签署 leaf.csr openssl x509 -req -in leaf.csr -out leaf.crt -days 365 -CAcreateserial -CA ca.crt -CAkey ca.key -CAserial serial -extfile ext.cnf
之后,应该会创建一个名为 leaf.crt 的文件。现在我们打印 leaf.crt 的内容:
openssl x509 -text -noout -in leaf.crt
输出将如下所示:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:16:37:a4:2b:b1:dc:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SG, ST=SG, L=SG, O=CA, OU=CA, CN=CA/emailAddress=CA
Validity
Not Before: Oct 22 08:05:58 2015 GMT
Not After : Oct 21 08:05:58 2016 GMT
Subject: C=SG, ST=SG, L=SG, O=LEAF, OU=LEAF, CN=LEAF/emailAddress=LEAF
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:95:12:10:03:74:28:e2:58:94:a1:b8:e8:eb:
4a:24:f7:26:b1:ce:97:98:38:93:43:27:b4:c8:c5:
2d:e6:b2:01:b4:19:01:95:ae:70:49:00:0d:a7:dc:
20:d0:82:1f:48:b7:c4:4b:46:de:ef:5a:05:b1:f0:
3c:5f:4d:2c:f6:65:0c:1b:b8:62:d7:f8:1f:55:83:
1e:40:46:7f:4c:de:a0:02:dc:02:31:0c:0d:5a:2c:
4f:d4:39:6a:23:da:23:10:e5:c5:1b:9d:3c:2f:73:
fa:14:50:2a:36:06:59:37:95:62:73:27:94:dd:f8:
02:dd:12:63:f0:41:34:15:3f:8a:95:36:b0:b9:d0:
cb:a0:16:dc:a9:44:4e:5e:b9:20:fb:b0:e6:35:01:
29:7f:df:c7:e9:1e:23:b9:2c:c4:15:ce:b6:17:7f:
0d:3f:4c:b0:48:dd:cf:c2:76:88:bc:a2:49:d7:34:
57:ba:5a:98:56:f8:b6:f2:6d:24:03:b1:62:ef:e4:
50:ba:af:dc:dd:7c:0d:99:7c:4d:f0:23:f9:60:9b:
f1:b0:03:02:97:6a:5b:f2:cb:45:8a:74:21:36:fe:
b0:ae:50:8a:37:b2:1b:ed:02:ee:8d:f9:89:d4:e7:
93:26:c1:40:76:5d:b5:f5:ee:a9:f6:7d:1e:8f:09:
18:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
Full Name:
URI:http://www.example.com/crl/test.crl
Signature Algorithm: sha256WithRSAEncryption
6e:93:19:8c:12:ac:3f:0c:e8:fa:52:2f:64:66:cc:9b:dc:f0:
52:45:ab:ec:23:8a:45:20:df:ed:2d:e0:07:a2:43:46:c1:77:
da:7f:8a:9c:a0:dc:91:d2:bf:f3:90:5c:5f:0b:4c:1f:8c:59:
42:78:fa:47:72:68:c3:00:e8:d4:98:b0:da:08:bf:ee:c8:54:
07:dd:87:ae:5a:75:2d:86:46:e5:78:44:76:63:50:20:16:f8:
5e:8d:8b:71:64:09:3c:96:44:35:a4:3c:50:1e:44:d9:34:3a:
0a:d6:24:15:b4:27:0e:20:51:5c:61:25:f4:a0:88:b5:dc:32:
38:af:84:6a:c9:e3:84:75:64:a5:a1:f6:cc:83:15:9f:02:b6:
c8:19:d8:dd:64:24:cc:04:08:32:e2:f8:ec:75:4f:c2:23:31:
4b:c6:f7:8b:ca:ff:d2:98:a1:ed:22:78:0f:fa:57:10:19:3e:
61:36:96:2f:b3:32:72:a7:2d:cb:a4:5f:30:05:42:28:6c:a3:
e4:ce:58:58:b7:99:90:95:3c:26:59:58:ab:27:8c:09:eb:81:
68:14:f7:07:60:b9:9d:fe:81:ba:18:da:31:51:36:53:7b:7f:
ce:45:c7:a6:88:9c:bb:9d:95:06:a9:a9:6c:c4:6e:a2:58:a6:
f4:3c:c2:75
请注意,您将在证书中看到以下内容:
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
Full Name:
URI:http://www.example.com/crl/test.crl
这表明有两个 distributionPoints。
一个具有多个通用名称的 distributionPoint
接下来,我们将展示如何生成具有一个 distributionPoint 但具有多个通用名称的证书。同样,需要一个扩展配置文件。
crlDistributionPoints=crl_section [crl_section] fullname = @url_section [url_section] URI.1=ldap://www.example.com/ldap?DN=TEST URI.2=http://www.example.com/crl/test.crl
将其另存为 ext.cnf 并运行与上面相同的命令。
#使用 ca.crt 签署 leaf.csr openssl x509 -req -in leaf.csr -out leaf.crt -days 365 -CAcreateserial -CA ca.crt -CAkey ca.key -CAserial serial -extfile ext.cnf
现在显示 leaf.crt 的内容
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:16:37:a4:2b:b1:dc:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SG, ST=SG, L=SG, O=CA, OU=CA, CN=CA/emailAddress=CA
Validity
Not Before: Oct 22 08:15:32 2015 GMT
Not After : Oct 21 08:15:32 2016 GMT
Subject: C=SG, ST=SG, L=SG, O=LEAF, OU=LEAF, CN=LEAF/emailAddress=LEAF
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:95:12:10:03:74:28:e2:58:94:a1:b8:e8:eb:
4a:24:f7:26:b1:ce:97:98:38:93:43:27:b4:c8:c5:
2d:e6:b2:01:b4:19:01:95:ae:70:49:00:0d:a7:dc:
20:d0:82:1f:48:b7:c4:4b:46:de:ef:5a:05:b1:f0:
3c:5f:4d:2c:f6:65:0c:1b:b8:62:d7:f8:1f:55:83:
1e:40:46:7f:4c:de:a0:02:dc:02:31:0c:0d:5a:2c:
4f:d4:39:6a:23:da:23:10:e5:c5:1b:9d:3c:2f:73:
fa:14:50:2a:36:06:59:37:95:62:73:27:94:dd:f8:
02:dd:12:63:f0:41:34:15:3f:8a:95:36:b0:b9:d0:
cb:a0:16:dc:a9:44:4e:5e:b9:20:fb:b0:e6:35:01:
29:7f:df:c7:e9:1e:23:b9:2c:c4:15:ce:b6:17:7f:
0d:3f:4c:b0:48:dd:cf:c2:76:88:bc:a2:49:d7:34:
57:ba:5a:98:56:f8:b6:f2:6d:24:03:b1:62:ef:e4:
50:ba:af:dc:dd:7c:0d:99:7c:4d:f0:23:f9:60:9b:
f1:b0:03:02:97:6a:5b:f2:cb:45:8a:74:21:36:fe:
b0:ae:50:8a:37:b2:1b:ed:02:ee:8d:f9:89:d4:e7:
93:26:c1:40:76:5d:b5:f5:ee:a9:f6:7d:1e:8f:09:
18:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
URI:http://www.example.com/crl/test.crl
Signature Algorithm: sha256WithRSAEncryption
2b:29:84:8a:14:cd:de:11:ee:cf:30:f8:3e:e2:a6:52:08:a2:
44:4a:fa:0e:23:cd:9d:37:64:ea:76:40:bf:15:8b:67:5a:8e:
74:f0:62:9d:71:c1:0e:ed:12:97:ea:5d:29:80:ec:fc:52:cd:
88:49:dc:c0:e5:1b:16:48:ca:67:92:74:c5:31:80:79:a2:39:
13:26:fd:37:ad:78:af:aa:ea:13:51:c6:a6:51:3d:df:9b:c8:
b3:01:bf:d3:e2:60:ac:88:76:01:fa:75:39:6e:b3:a7:89:e3:
a1:c6:ad:87:e8:f2:a9:99:d5:48:5e:74:f7:b6:0f:b1:42:62:
ff:72:3c:78:f5:92:e8:0c:b5:af:4e:90:a7:43:7b:01:7b:f3:
fa:34:a1:01:4d:67:96:63:76:11:64:cd:ad:bc:f8:00:74:07:
cc:8e:2e:a0:9c:78:6c:2a:00:b8:a5:ae:c3:9e:c8:63:e5:84:
5a:60:74:3e:4b:dd:cf:5e:60:f4:60:73:58:1f:04:fe:d0:4d:
ba:f8:2e:a3:d8:c6:f7:a9:d9:58:51:f7:e1:4b:6c:f5:11:28:
d2:61:45:b6:a6:ba:00:51:55:70:94:32:be:ea:a0:e2:34:72:
ec:d1:d0:27:7a:90:17:4b:b1:be:03:08:40:9f:2b:f0:f4:6b:
ee:bf:6a:9d
这次您将看到 cRLDistributionPoints 扩展:
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
URI:http://www.example.com/crl/test.crl
这表明只有一个 distributionPoint,但有两个通用名称指向同一个 CRL 资源。
此外,您可以结合上述两个步骤来创建具有多个 distributionPoints 和多个通用名称的证书。
将来,我们将介绍如何在 CRLDistributionPoints 扩展中设置 reasons 和 cRLIssuer 来生成证书。
