在 X509 憑證中,cRLDistributionPoints 擴展提供憑證驗證器檢索 CRL(憑證撤銷清單)的機制,該清單可用於驗證給定的憑證是否已被撤銷。
cRLDistributionPoints 擴展可以包含一個或多個 DistributionPoints,可以從中檢索 CRL。每個 DistributionPoint 由三個欄位組成,每個欄位都是可選的:
- distributionPoint:它包含一般名稱的 SEQUENCE 或單個值。一個 distributionPoint 可以包含一個或多個一般名稱,這些名稱顯示 CRL 的儲存位置
- reasons:
- cRLIssuer:它識別簽署和發布 CRL 的實體
在這篇文章中,我們將僅涵蓋僅設定 distributionPoint 的情況。這裡使用 OpenSSL 來示範如何產生具有 cRLDistributionPoints 擴展的憑證。但在這之前,我們首先需要產生正常的金鑰和憑證,以便稍後使用。
#建立私密金鑰 openssl genrsa -des3 -out ca.key 2048 #為私密金鑰建立憑證簽署請求 openssl req -new -key ca.key -out ca.csr #產生自我簽署憑證 openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt -extensions v3_req #建立葉私密金鑰 openssl genrsa -des3 -out leaf.key 2048 #為私密金鑰建立憑證簽署請求 openssl req -new -key leaf.key -out leaf.csr
這裡 ca.key 和 ca.crt 將用於簽署 leaf.csr。leaf.csr 是憑證簽署請求。
多個 distributionPoints
首先,讓我們展示如何在 cRLDistributionPoints 擴展中產生具有多個 distriutionPoints 的憑證。我們需要建立一個擴展設定檔,其中包含我們要設定的 distributionPoints。例如:
crlDistributionPoints=@crl_section [crl_section] URI.1 = ldap://www.example.com/ldap?DN=TEST URI.2 = http://www.example.com/crl/test.crl
接下來將其另存為 ext.cnf 並執行以下命令:
#使用 ca.crt 簽署 leaf.csr openssl x509 -req -in leaf.csr -out leaf.crt -days 365 -CAcreateserial -CA ca.crt -CAkey ca.key -CAserial serial -extfile ext.cnf
之後,應該會建立一個名為 leaf.crt 的檔案。現在我們列印 leaf.crt 的內容:
openssl x509 -text -noout -in leaf.crt
輸出將如下所示:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:16:37:a4:2b:b1:dc:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SG, ST=SG, L=SG, O=CA, OU=CA, CN=CA/emailAddress=CA
Validity
Not Before: Oct 22 08:05:58 2015 GMT
Not After : Oct 21 08:05:58 2016 GMT
Subject: C=SG, ST=SG, L=SG, O=LEAF, OU=LEAF, CN=LEAF/emailAddress=LEAF
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:95:12:10:03:74:28:e2:58:94:a1:b8:e8:eb:
4a:24:f7:26:b1:ce:97:98:38:93:43:27:b4:c8:c5:
2d:e6:b2:01:b4:19:01:95:ae:70:49:00:0d:a7:dc:
20:d0:82:1f:48:b7:c4:4b:46:de:ef:5a:05:b1:f0:
3c:5f:4d:2c:f6:65:0c:1b:b8:62:d7:f8:1f:55:83:
1e:40:46:7f:4c:de:a0:02:dc:02:31:0c:0d:5a:2c:
4f:d4:39:6a:23:da:23:10:e5:c5:1b:9d:3c:2f:73:
fa:14:50:2a:36:06:59:37:95:62:73:27:94:dd:f8:
02:dd:12:63:f0:41:34:15:3f:8a:95:36:b0:b9:d0:
cb:a0:16:dc:a9:44:4e:5e:b9:20:fb:b0:e6:35:01:
29:7f:df:c7:e9:1e:23:b9:2c:c4:15:ce:b6:17:7f:
0d:3f:4c:b0:48:dd:cf:c2:76:88:bc:a2:49:d7:34:
57:ba:5a:98:56:f8:b6:f2:6d:24:03:b1:62:ef:e4:
50:ba:af:dc:dd:7c:0d:99:7c:4d:f0:23:f9:60:9b:
f1:b0:03:02:97:6a:5b:f2:cb:45:8a:74:21:36:fe:
b0:ae:50:8a:37:b2:1b:ed:02:ee:8d:f9:89:d4:e7:
93:26:c1:40:76:5d:b5:f5:ee:a9:f6:7d:1e:8f:09:
18:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
Full Name:
URI:http://www.example.com/crl/test.crl
Signature Algorithm: sha256WithRSAEncryption
6e:93:19:8c:12:ac:3f:0c:e8:fa:52:2f:64:66:cc:9b:dc:f0:
52:45:ab:ec:23:8a:45:20:df:ed:2d:e0:07:a2:43:46:c1:77:
da:7f:8a:9c:a0:dc:91:d2:bf:f3:90:5c:5f:0b:4c:1f:8c:59:
42:78:fa:47:72:68:c3:00:e8:d4:98:b0:da:08:bf:ee:c8:54:
07:dd:87:ae:5a:75:2d:86:46:e5:78:44:76:63:50:20:16:f8:
5e:8d:8b:71:64:09:3c:96:44:35:a4:3c:50:1e:44:d9:34:3a:
0a:d6:24:15:b4:27:0e:20:51:5c:61:25:f4:a0:88:b5:dc:32:
38:af:84:6a:c9:e3:84:75:64:a5:a1:f6:cc:83:15:9f:02:b6:
c8:19:d8:dd:64:24:cc:04:08:32:e2:f8:ec:75:4f:c2:23:31:
4b:c6:f7:8b:ca:ff:d2:98:a1:ed:22:78:0f:fa:57:10:19:3e:
61:36:96:2f:b3:32:72:a7:2d:cb:a4:5f:30:05:42:28:6c:a3:
e4:ce:58:58:b7:99:90:95:3c:26:59:58:ab:27:8c:09:eb:81:
68:14:f7:07:60:b9:9d:fe:81:ba:18:da:31:51:36:53:7b:7f:
ce:45:c7:a6:88:9c:bb:9d:95:06:a9:a9:6c:c4:6e:a2:58:a6:
f4:3c:c2:75
請注意,您將在憑證中看到以下內容:
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
Full Name:
URI:http://www.example.com/crl/test.crl
這表示有兩個 distributionPoints。
具有多個一般名稱的一個 distributionPoint
接下來,我們將展示如何產生具有一個 distributionPoint 但有多個一般名稱的憑證。同樣,需要一個擴展設定檔。
crlDistributionPoints=crl_section [crl_section] fullname = @url_section [url_section] URI.1=ldap://www.example.com/ldap?DN=TEST URI.2=http://www.example.com/crl/test.crl
將其另存為 ext.cnf 並執行與上述相同的命令。
#使用 ca.crt 簽署 leaf.csr openssl x509 -req -in leaf.csr -out leaf.crt -days 365 -CAcreateserial -CA ca.crt -CAkey ca.key -CAserial serial -extfile ext.cnf
現在顯示 leaf.crt 的內容
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:16:37:a4:2b:b1:dc:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SG, ST=SG, L=SG, O=CA, OU=CA, CN=CA/emailAddress=CA
Validity
Not Before: Oct 22 08:15:32 2015 GMT
Not After : Oct 21 08:15:32 2016 GMT
Subject: C=SG, ST=SG, L=SG, O=LEAF, OU=LEAF, CN=LEAF/emailAddress=LEAF
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b3:95:12:10:03:74:28:e2:58:94:a1:b8:e8:eb:
4a:24:f7:26:b1:ce:97:98:38:93:43:27:b4:c8:c5:
2d:e6:b2:01:b4:19:01:95:ae:70:49:00:0d:a7:dc:
20:d0:82:1f:48:b7:c4:4b:46:de:ef:5a:05:b1:f0:
3c:5f:4d:2c:f6:65:0c:1b:b8:62:d7:f8:1f:55:83:
1e:40:46:7f:4c:de:a0:02:dc:02:31:0c:0d:5a:2c:
4f:d4:39:6a:23:da:23:10:e5:c5:1b:9d:3c:2f:73:
fa:14:50:2a:36:06:59:37:95:62:73:27:94:dd:f8:
02:dd:12:63:f0:41:34:15:3f:8a:95:36:b0:b9:d0:
cb:a0:16:dc:a9:44:4e:5e:b9:20:fb:b0:e6:35:01:
29:7f:df:c7:e9:1e:23:b9:2c:c4:15:ce:b6:17:7f:
0d:3f:4c:b0:48:dd:cf:c2:76:88:bc:a2:49:d7:34:
57:ba:5a:98:56:f8:b6:f2:6d:24:03:b1:62:ef:e4:
50:ba:af:dc:dd:7c:0d:99:7c:4d:f0:23:f9:60:9b:
f1:b0:03:02:97:6a:5b:f2:cb:45:8a:74:21:36:fe:
b0:ae:50:8a:37:b2:1b:ed:02:ee:8d:f9:89:d4:e7:
93:26:c1:40:76:5d:b5:f5:ee:a9:f6:7d:1e:8f:09:
18:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
URI:http://www.example.com/crl/test.crl
Signature Algorithm: sha256WithRSAEncryption
2b:29:84:8a:14:cd:de:11:ee:cf:30:f8:3e:e2:a6:52:08:a2:
44:4a:fa:0e:23:cd:9d:37:64:ea:76:40:bf:15:8b:67:5a:8e:
74:f0:62:9d:71:c1:0e:ed:12:97:ea:5d:29:80:ec:fc:52:cd:
88:49:dc:c0:e5:1b:16:48:ca:67:92:74:c5:31:80:79:a2:39:
13:26:fd:37:ad:78:af:aa:ea:13:51:c6:a6:51:3d:df:9b:c8:
b3:01:bf:d3:e2:60:ac:88:76:01:fa:75:39:6e:b3:a7:89:e3:
a1:c6:ad:87:e8:f2:a9:99:d5:48:5e:74:f7:b6:0f:b1:42:62:
ff:72:3c:78:f5:92:e8:0c:b5:af:4e:90:a7:43:7b:01:7b:f3:
fa:34:a1:01:4d:67:96:63:76:11:64:cd:ad:bc:f8:00:74:07:
cc:8e:2e:a0:9c:78:6c:2a:00:b8:a5:ae:c3:9e:c8:63:e5:84:
5a:60:74:3e:4b:dd:cf:5e:60:f4:60:73:58:1f:04:fe:d0:4d:
ba:f8:2e:a3:d8:c6:f7:a9:d9:58:51:f7:e1:4b:6c:f5:11:28:
d2:61:45:b6:a6:ba:00:51:55:70:94:32:be:ea:a0:e2:34:72:
ec:d1:d0:27:7a:90:17:4b:b1:be:03:08:40:9f:2b:f0:f4:6b:
ee:bf:6a:9d
這次您將看到 cRLDistributionPoints 擴展:
X509v3 extensions:
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://www.example.com/ldap?DN=TEST
URI:http://www.example.com/crl/test.crl
這表示只有一個 distributionPoint,但有兩個一般名稱指向相同的 CRL 資源。
此外,您可以結合上述兩個步驟來建立具有多個 distributionPoints 和多個一般名稱的憑證。
未來,我們將介紹如何在 CRLDistributionPoints 擴展中設定reasons和 cRLIssuer 來產生憑證。
