Chapter 8. Implementing a Certification Revocation List
A Certificate Revocation List (CRL) is a list of certificates that have been revoked and should not be relied on. This chapter shows you how to implement a CRL in a Red Hat Update Infrastructure environment using the openssl x509 certificates.
Procedure 8.1. Implementing a CRL list in a Red Hat Update Infrastructure environment
- Make a directory for a CRL:
# mkdir /etc/pki/pulp/content/crl
- Create an index file with the following command:
# touch /etc/pki/pulp/content/crl/index.txt
- Create a file for the CRL number. This file should contain the text
00
only.# echo 00 > /etc/pki/pulp/content/crl/pulp_crl_number
- In
/etc/pulp/
, create and write the following contents into acrl_openssl.conf
file.cat <<EOF > crl_openssl.conf # OpenSSL configuration for CRL generation # #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] database = /etc/pki/pulp/content/crl/index.txt crlnumber = /etc/pki/pulp/content/crl/pulp_crl_number default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering #################################################################### [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always EOF
- Create the CRL file with the following command:
# openssl ca -gencrl -keyfile /home/example/ca.key -cert /home/example/ca.crt -out /etc/pki/pulp/content/crl/pulp_crl.pem -config /etc/pulp/crl_openssl.conf
Note
The CA cert and key are to be the same ones used to create the client entitlement RPMs.
Procedure 8.2. Revoking a certificate
- Revoke a certificate with the following command:
# openssl ca -revoke <Content certificate> -keyfile /home/example/ca.key -cert /home/example/ca.crt -config /etc/pulp/crl_openssl.conf
Example 8.1. Example Revoking Certificate
# openssl ca -revoke /tmp/dir/rhui-client.crt -keyfile /root/pem/ca.key -cert /root/pem/ca.crt -config /etc/pulp/crl_openssl.conf Using configuration from /etc/pulp/admin/crl_openssl.conf Adding Entry with serial number 0102 to DB for /CN=Red Hat Update Infrastructure Revoking Certificate 0102. Data Base Updated
- Regenerate the CRL list with the following command:
# openssl ca -gencrl -keyfile /home/example/ca.key -cert /home/example/ca.crt -out /etc/pki/pulp/content/crl/pulp_crl.pem -config /etc/pulp/crl_openssl.conf
- Test the CRL list with the following command:
# cat /home/example/ca.crt /etc/pki/pulp/content/crl/pulp_crl.pem > /tmp/test.pem
- Verify the CRL list with the following command:
# openssl verify -extended_crl -verbose -CAfile /tmp/test.pem -crl_check <Content certificate>
Note
Code #23 indicates the certificate has been revoked. For more error codes, refer to openssl.org. - In
/etc/pki/pulp/content
, create the CRL hash with the following command:# ln -s crl/pulp_crl.pem `openssl crl -hash -noout -in crl/pulp_crl.pem`.r0
- Copy the CRL information to each CDS instance.
tar -cf - crl *.r0 | ssh root@fqdn_cds 'cd /etc/pki/pulp/content && tar -xvf -'