openssl 吊销自签证书

前置条件

在CA签发环境中进行，引用CA签发时的配置及CA和私钥 openssl 签发CA证书

初始化配置

cat << 'EOF' > crl.cnf
CERT_DIR   = .
[ ca ]
default_ca = CA_default

[ CA_default ]
dir               = ${ENV::CERT_DIR}
certs             = $dir
crl_dir           = $dir/crl
new_certs_dir     = $dir
database          = $dir/index.txt
certificate       = $dir/ca.crt
serial            = $dir/serial
crlnumber         = $dir/crlnumber
crl               = $dir/crl/root.crl
private_key       = $dir/ca.key
default_crl_days  = 30
crl_extensions    = crl_ext
default_md        = sha256
name_opt          = ca_default
cert_opt          = ca_default
default_days      = 365
preserve          = no
policy            = policy_match

[ crl_ext ]
authorityKeyIdentifier=keyid:always

EOF

初始化环境

touch index.txt  # 如果之前有吊销过，要复用之前的index.txt，否则会导致之前的吊销列表丢失
openssl rand -hex 3 > crlnumber

撤销证书

openssl ca -config crl.cnf -cert ca.crt -keyfile ca.key -revoke server.crt -crl_reason Unspecified # -crl_reason 指定吊销原因

更新撤销列表（CRL）

openssl ca -config crl.cnf -gencrl -cert ca.crt -keyfile ca.key -out root-crl.pem #[-crldays <CRL有效期>]

查看CRL

openssl crl -text -noout -in root-crl.pem

转换格式，DER格式占用空间更小

openssl crl -inform PEM -outform DER -in root-crl.pem -out root.crl

部署CRL分发点服务器，使用nginx部署

server {
    listen       80;
    server_name  crl.privatesign.local.com;

    location = /crl/root.crl {
        types        {}
        default_type application/pkix-crl;
        alias /opt/pki/crl/root.crl;
    }
}

吊销原因

reason                X509v3 CRL Reason Code             解释                    备注
---------------------------------------------------------------------------------------------
unspecified               Unspecified                 未指定 (0)
keyCompromise             Key Compromise              密钥泄漏 (1)
CACompromise              CA Compromise               CA 泄漏 (2)
affiliationChanged        Affiliation Changed         附属关系已更改 (3)
superseded                Superseded                  被取代 (4)
cessationOfOperation      Cessation Of Operation      停止操作 (5)
certificateHold           Certificate Hold            证书挂起 (6)
removeFromCRL             Remove From CRL             从 CRL 中删除 (8)         使用OCSP

crl x509示例 openssl crl -text -noout -in root.crl

Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /O=PrivateSign/OU=PrivateSign/CN=PrivateSign Root CA
        Last Update: Apr 17 15:05:44 2023 GMT
        Next Update: May 17 05:45:44 2023 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:B5:BD:B2:FD:18:F9:86:AE:6E:7F:4A:F7:86:A3:9A:8E:7D:D8:63:D1

        CRL extensions:
            X509v3 CRL Number: 
                916689326
Revoked Certificates:
    Serial Number: 67250A6E24874F8235286B6E6FA9C1A482FE
        Revocation Date: Apr 17 15:05:40 2023 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Unspecified
    Signature Algorithm: sha256WithRSAEncryption
         41:2a:f4:10:1a:22:fc:3c:72:ae:1f:ea:d4:11:c7:6d:ba:13:
         51:f9:01:a4:44:fa:a6:d7:96:6a:7b:23:37:04:9e:87:09:f2:
         c1:e7:f8:9a:82:75:66:91:c5:05:d2:2e:be:aa:4e:68:2b:28:
         60:6c:fa:5a:14:4c:2a:28:0a:13:04:47:14:b7:3c:fa:8d:63:
         c7:70:ec:10:86:82:6e:1d:97:27:b8:5b:bf:d5:a7:09:d7:d2:
         53:c9:67:31:3c:67:53:fe:33:26:c3:e3:f2:7e:4d:37:f8:49:
         f0:39:54:96:8c:ac:1f:db:c9:5c:24:12:c4:0e:65:24:39:c5:
         58:ff:b0:88:7f:ff:cf:e9:47:a0:99:0b:c2:06:f6:e5:54:b8:
         d1:c1:7b:ba:4a:01:cb:96:4f:43:83:78:d3:b4:67:2e:7d:e4:
         25:f4:90:db:3f:d7:91:87:3e:0b:45:20:ae:7b:ba:e2:d2:a3:
         60:c5:17:92:29:1c:a4:51:e4:35:45:35:c0:54:08:ff:65:1c:
         9a:f3:71:05:ed:f4:b4:06:e8:0c:f9:96:8b:e2:40:aa:aa:0f:
         54:b0:32:64:f0:8f:9d:ad:2c:0c:ec:64:f3:46:a5:d6:76:0f:
         14:ce:25:b3:be:76:78:e1:28:bd:1f:a0:87:00:06:b9:df:4b:
         d5:bb:75:3b

# cat index.txt
R	240417152945Z	230417152954Z,unspecified	C0ED6FC2306B9B575A07EEF926A99F1B7A97	unknown	/C=CN/ST=ZheJiang/L=HangZhou/O=SRE/CN=example.com

第一个字段R表示valid也就是吊销的意思，这个字段还可以有其他几个值，比如R表示revoked,E表示expired，还有V。
第二个字段是过期时间，格式是YYMMDDHHMMSSZ。
第三个字段是Revocation日期，如果空表示没有revoked。
第四个字段是序列号，也就是生成的CA名字。
第五个字段是文件的位置，unknown表示未知。
最后一个字段是这个证书的名字,用于和其他的证书做区分。

打赏