Offline Root CA and CRL generation

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Offline Root CA and CRL generation

Sven Dreyer
Hi List,

I would like to setup an OpenSSL-based offline Root CA.

Certificates issued by this Root CA contain a CDP.

I would like to issue CRLs every 3 days, which would mean that I would
have to take the offline Root CA online each 3 days.

Is there a way to let the Root CA issue a "CRL signer certificate",
which can then run on a different machine for CRL signature?

For OCSP it seems to be possbile (RFC2560, 2.6 - "OCSP Signature
Authority Delegation"). Does anybody know whether it's possible for
CRL's using OpenSSL?

Thanks for any advice,
Sven
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Offline Root CA and CRL generation

Sven Dreyer
Hi Matthew,

Am 15.03.2013 16:03, schrieb Matthew Hall:
> Read about the cRLSign KeyUsage bit. This is how it is usually
> handled.

I already let the Root CA issue a certificate with "keyUsage = cRLSign"
and used that certificate to sign the CRL, but my colleague's Windows
machine refused to accept the CRL signed that way.

The problem went away when I directly signed the CRL with the Root CA
certificate, so I thought I did something wrong or it's simply not possible.

Thanks,
Sven
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Offline Root CA and CRL generation

Erwann ABALEA
In reply to this post by Sven Dreyer
X.509 allows for a self-signed certificate dedicated to CRL signing
(with the same name, of course). But that's not acceptable for RFC5280.

You can generate a self-issued certificate dedicated to CRL signing
(same name, different key, signed by your root). That's acceptable for
RFC5280, but you'll have to check with your clients. And find a way to
distribute this certificate.

--
Erwann ABALEA

Le 15/03/2013 15:53, Sven Dreyer a écrit :

> Hi List,
>
> I would like to setup an OpenSSL-based offline Root CA.
>
> Certificates issued by this Root CA contain a CDP.
>
> I would like to issue CRLs every 3 days, which would mean that I would
> have to take the offline Root CA online each 3 days.
>
> Is there a way to let the Root CA issue a "CRL signer certificate",
> which can then run on a different machine for CRL signature?
>
> For OCSP it seems to be possbile (RFC2560, 2.6 - "OCSP Signature
> Authority Delegation"). Does anybody know whether it's possible for
> CRL's using OpenSSL?
>
> Thanks for any advice,
> Sven
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [hidden email]
> Automated List Manager [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Offline Root CA and CRL generation

Sven Dreyer
Hi Erwann,

Am 15.03.2013 16:16, schrieb Erwann Abalea:
> You can generate a self-issued certificate dedicated to CRL signing
> (same name, different key, signed by your root). That's acceptable
> for RFC5280, but you'll have to check with your clients. And find a
> way to distribute this certificate.

I'm not sure whether I got it right.

My Root CA is named "Foobar Root CA" with keypair (A).

I would then let "Foobar Root CA" issue a certificate for "Foobar Root
CA" with keypair (B) and attribute "keyUsage = cRLSign".

I would then use the certificate for keypair (B) to sign the CRL.

Then, I would distribute the certificates for "Foobar Root CA" (A) and
"Foobar Root CA" (B) to my clients' trusted CA stores.

Is this the way you pointed me to?

Thanks,
Sven
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Offline Root CA and CRL generation

Erwann ABALEA
Le 15/03/2013 17:01, Sven Dreyer a écrit :

> Hi Erwann,
>
> Am 15.03.2013 16:16, schrieb Erwann Abalea:
>> You can generate a self-issued certificate dedicated to CRL signing
>> (same name, different key, signed by your root). That's acceptable
>> for RFC5280, but you'll have to check with your clients. And find a
>> way to distribute this certificate.
>
> I'm not sure whether I got it right.
>
> My Root CA is named "Foobar Root CA" with keypair (A).
>
> I would then let "Foobar Root CA" issue a certificate for "Foobar Root
> CA" with keypair (B) and attribute "keyUsage = cRLSign".
>
> I would then use the certificate for keypair (B) to sign the CRL.
>
> Then, I would distribute the certificates for "Foobar Root CA" (A) and
> "Foobar Root CA" (B) to my clients' trusted CA stores.
>
> Is this the way you pointed me to?

Yes. That's one possible solution (possible from a PKI point of view).

Another solution would be to play with indirect CRLs. That involves
issuing a certificate (with a different name, for example "Foobar CRL
Signer") dedicated to CRL signing, specifying its name in the
CRLDistributionPoints of your issued certificates, and sign the CRL with
this certificate+private key (Foobar CRL Signer). That CRL must have a
critical IssuingDistributionPoint extension with the indirectCRL set to
true, and at least the first revocation entry must have an extension
indicating its issuer name (Foobar Root CA). "Foobar CRL Signer" may be
issued under a completely different trust chain.
I don't know how well this second solution is supported by clients, and
I suppose that the "Foobar CRL Signer" certificate should itself have a
CRLDP extension pointing to a valid CRL, etc.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Offline Root CA and CRL generation

Sven Dreyer
Hi Erwann,

Am 15.03.2013 17:36, schrieb Erwann Abalea:
> Yes. That's one possible solution (possible from a PKI point of view).
>
> Another solution would be to play with indirect CRLs. That involves

Thank you very much for your explanations, I will try these scenarios.

Thanks, Sven

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]