Search

Chapter 8. Implementing a Certification Revocation List

download PDF
A Certificate Revocation List (CRL) is a list of certificates that have been revoked and should not be relied on. This chapter shows you how to implement a CRL in a Red Hat Update Infrastructure environment using the openssl x509 certificates.

Procedure 8.1. Implementing a CRL list in a Red Hat Update Infrastructure environment

  1. Make a directory for a CRL:
    # mkdir /etc/pki/pulp/content/crl
    
  2. Create an index file with the following command:
    # touch /etc/pki/pulp/content/crl/index.txt
  3. Create a file for the CRL number. This file should contain the text 00 only.
    # echo 00 > /etc/pki/pulp/content/crl/pulp_crl_number
  4. In /etc/pulp/, create and write the following contents into a crl_openssl.conf file.
    cat <<EOF > crl_openssl.conf
    # OpenSSL configuration for CRL generation
    #
    ####################################################################
    [ ca ]
    default_ca	= CA_default		# The default ca section
    
    ####################################################################
    [ CA_default ]
    database = /etc/pki/pulp/content/crl/index.txt
    crlnumber = /etc/pki/pulp/content/crl/pulp_crl_number
    
    
    default_days	= 365			# how long to certify for
    default_crl_days= 30			# how long before next CRL
    default_md	= default		# use public key default MD
    preserve	= no			# keep passed DN ordering
    
    ####################################################################
    [ crl_ext ]
    # CRL extensions.
    # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    # issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always,issuer:always
    EOF
    
  5. Create the CRL file with the following command:
    # openssl ca -gencrl -keyfile /home/example/ca.key -cert /home/example/ca.crt -out /etc/pki/pulp/content/crl/pulp_crl.pem -config /etc/pulp/crl_openssl.conf

    Note

    The CA cert and key are to be the same ones used to create the client entitlement RPMs.

Procedure 8.2. Revoking a certificate

  1. Revoke a certificate with the following command:
    # openssl ca -revoke <Content certificate> -keyfile /home/example/ca.key -cert /home/example/ca.crt -config /etc/pulp/crl_openssl.conf

    Example 8.1. Example Revoking Certificate

    # openssl ca -revoke /tmp/dir/rhui-client.crt -keyfile /root/pem/ca.key -cert /root/pem/ca.crt -config /etc/pulp/crl_openssl.conf 
    Using configuration from /etc/pulp/admin/crl_openssl.conf
    Adding Entry with serial number 0102 to DB for /CN=Red Hat Update Infrastructure
    Revoking Certificate 0102.
    Data Base Updated
    
  2. Regenerate the CRL list with the following command:
    # openssl ca -gencrl -keyfile /home/example/ca.key -cert /home/example/ca.crt -out /etc/pki/pulp/content/crl/pulp_crl.pem -config /etc/pulp/crl_openssl.conf
  3. Test the CRL list with the following command:
    # cat /home/example/ca.crt /etc/pki/pulp/content/crl/pulp_crl.pem > /tmp/test.pem
  4. Verify the CRL list with the following command:
    # openssl verify -extended_crl -verbose -CAfile /tmp/test.pem -crl_check <Content certificate>

    Note

    Code #23 indicates the certificate has been revoked. For more error codes, refer to openssl.org.
  5. In /etc/pki/pulp/content, create the CRL hash with the following command:
    # ln -s crl/pulp_crl.pem `openssl crl -hash -noout -in crl/pulp_crl.pem`.r0
    
  6. Copy the CRL information to each CDS instance.
    tar -cf - crl *.r0 | ssh root@fqdn_cds 'cd /etc/pki/pulp/content && tar -xvf -'
    
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.