Table of Contents
I would recommend you to get an overview of PKI and Certificates before generating or revoking certificates. In this article I will share the steps to revoke certificate from keystone and generate CRL. The first certificate that we issued with our CA in our last article was simply a test certificate to make sure that the CA is working properly. We can see that the certificate was issued properly, but it’s a certificate that we don’t actually want anybody to be able to use, so we will need to revoke the certificate.
Revoke a certificate
Revoking a certificate is a simple process. All you need is a copy of the certificate to be revoked. Even if you don’t keep a copy of all of the certificates that you’ve issued, the CA infrastructure we created does. We can obtain a copy of the certificate that way, but it’s much easier to keep a copy of your own and name the file something meaningful since the CA simply names the file containing the certificates it issues with each certificate’s serial number.
In my last article I had generated an additional private key which I can use to demonstrate this article
[root@node3 CA]# cp newcerts/01.pem testcert.pem
[root@node3 CA]# openssl ca -revoke testcert.pem Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Revoking Certificate 01. Data Base Updated
The command-line tool prompts us for a passphrase. The passphrase it is looking for is the passphrase that protects the CA’s private key. Although the key is not actually used for any signing as part of the certificate revocation process, it is required to validate the certificate as the CA’s own and as a security measure to ensure that only someone authorized to use the CA can revoke a certificate that it has issued.
No change is made to the certificate at all. In fact, the only noticeable change is to the CA’s database to indicate that the certificate has been revoked.
Generate CRL using openssl
CRL stands for Certificate Revocation List. A CRL contains a list of all of the revoked certificates a CA has issued that have yet to expire. When a certificate is revoked, the CA declares that the certificate should no longer be trusted.
Remember that once a certificate has been issued, it cannot be modified. It’s presumably out in the wild and there’s no way to ensure that every copy of the certificate in existence can be updated. This is where CRLs become relevant
[root@node3 CA]# openssl ca -gencrl -out exampleca.crl Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem:
[root@node3 CA]# openssl crl -in exampleca.crl -text -noout Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=IN/ST=Karnataka/L=bangalore/O=Golinuxcloud/OU=TEST/CN=Example/emailAddressfirstname.lastname@example.org Last Update: Apr 17 04:37:17 2019 GMT Next Update: May 17 04:37:17 2019 GMT Revoked Certificates: Serial Number: 01 Revocation Date: Apr 17 04:26:14 2019 GMT Signature Algorithm: sha256WithRSAEncryption a7:a9:72:c5:3c:76:31:e1:02:c2:de:ae:46:3e:ff:31:7a:01: c1:92:3f:84:b6:05:be:67:7c:5b:e2:d8:c7:49:cd:7b:81:f8: 76:08:86:9c:1d:e3:80:4e:eb:43:fd:94:7c:e6:0e:59:c7:fe: d2:d6:bd:38:03:b6:61:0c:a3:3e:c9:df:c6:f4:92:39:4a:cd: 8d:9f:c7:93:f8:31:85:23:b0:b3:e0:9b:7d:40:60:02:33:42: 2c:ed:ee:7a:a3:10:75:36:c8:1c:16:42:8e:dc:6c:b7:22:72: 3a:d6:d9:96:9c:98:30:43:10:f4:51:3e:7f:e5:e9:b5:42:ad: 68:dd:2b:d7:c5:fe:ae:aa:e8:96:a6:01:5c:7f:3c:c5:f8:cb: 0d:df:49:93:c3:3e:b5:45:51:bf:9c:68:95:05:9e:93:ee:59: f9:99:d4:1d:8f:39:3a:99:9c:b9:1f:1a:fb:43:84:fe:e3:86: bc:a5:75:f1:53:dd:df:0b:5f:73:2a:98:f5:dd:d6:f7:ab:85: b0:70:0a:cf:ad:19:98:06:5a:a2:bc:fe:e9:35:ed:96:fc:f0: 09:e3:f8:44:d9:76:74:2d:4f:ab:54:05:cf:91:14:f6:9d:5e: fe:b5:99:75:c9:38:e8:7f:a2:72:79:44:37:30:ab:19:ca:fa: ad:43:ab:c6
When we get a text dump of the CRL, we can see the algorithm that was used to sign it, the CA that issued it, when it was issued, when the next list will be issued, and a list of all of the certificates that it contains. We can also use the crl command to verify the signature on the CRL.
Network Security with OpenSSL
Lastly I hope the steps from the article to revoke certificate and generate CRL using openssl on Linux was helpful. So, let me know your suggestions and feedback using the comment section..