|
»
»
»
Generic question on CRL use
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
Generic question on CRL use
by Gilles Cuesta
::
Rate this Message:
Hi alls,
new on the list, and not tricky question :D We use client certs authentication at our office, there is a CA chain like this : BigCA (self signed) IntermediateCA (signed by BigCA) ServerCert (signed by IntermediateCA) used by Apache/modssl ClientCA (signed by IntermediateCA) many clients (signed by ClientCA) - ClientX have 1 year validity - ClientCA have 4 years validity, but replaced at half life (2 year) so ClientX signed by old ClientCA version remain valid until expiration. - CRL is signed by recent ClientCA So, at a time, we have 2 ClientCA with different key and different validity period, but same DN. The problem is, when verifying client cert work with both ClientCA stacked; but when using CRL, old clients work only if CRL is signed by old ClientCA. 1/ is it rfc compliant, and if not, why (reference ?). 2/ if this is rfc compliant, why does openssl does not handle this ? Thanks for all help you could provide. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
|
|
Re: Generic question on CRL use
by Michael Ströder
::
Rate this Message:
Gilles Cuesta wrote:
> So, at a time, we have 2 ClientCA with different key and different > validity period, but same DN. This is bad practice. Try searching for "CA key roll-over". > The problem is, when verifying client cert work with both ClientCA > stacked; but when using CRL, old clients work only if CRL is signed by > old ClientCA. Well, you asked for trouble... You could try to add the authorityKeyIdentifier extension to the CRL if it's also present in the CA certs. This could work with some software. But my strong recommendation: Fix your 2nd ClientCA cert. Ciao, Michael. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
|
|
Re: Generic question on CRL use
by Gilles Cuesta
::
Rate this Message:
2008/6/16 Michael Ströder <michael@...>:
> Gilles Cuesta wrote: >> >> So, at a time, we have 2 ClientCA with different key and different >> validity period, but same DN. > > This is bad practice. Try searching for "CA key roll-over". I found docs about it, but proprietary PKI, and couldn't know if this feature is implemented ... > >> The problem is, when verifying client cert work with both ClientCA >> stacked; but when using CRL, old clients work only if CRL is signed by >> old ClientCA. > > Well, you asked for trouble... > > You could try to add the authorityKeyIdentifier extension to the CRL if it's > also present in the CA certs. This could work with some software. > Here we are :D apache.crl Certificate Revocation List (CRL): Version 2 (0x1) ... X509v3 Authority Key Identifier: keyid:B8:85:B4... apache-caclient.cer Certificate: ... Validity Not Before: Feb 29 12:23:38 2007 GMT Not After : Feb 29 12:23:58 2011 GMT ... X509v3 Key Usage: critical Certificate Sign, CRL Sign ... X509v3 Subject Key Identifier: B8:85:B4... X509v3 Authority Key Identifier: keyid:56:4D:A9... apache-caclient-old.cer Certificate: ... Validity Not Before: May 18 14:35:12 2005 GMT Not After : May 18 14:35:12 2009 GMT ... X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign ... X509v3 Subject Key Identifier: 87:1D:FC... X509v3 Authority Key Identifier: keyid:56:4D:A9... But it doesn't work asis, issuing "signature verification error" in apache error logs ... Is there something to be modified in Apache/Modssl conf ? Thank you ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
|
|
Re: Generic question on CRL use
by Michael Ströder
::
Rate this Message:
Gilles Cuesta wrote:
> 2008/6/16 Michael Ströder <michael@...>: >> Gilles Cuesta wrote: >>> So, at a time, we have 2 ClientCA with different key and different >>> validity period, but same DN. >> This is bad practice. Try searching for "CA key roll-over". > > I found docs about it, but proprietary PKI, and couldn't know if this > feature is implemented ... It's not a "feature"! Pretty sure there are docs out there describing best practices when conducting a CA key roll-over. One of the best practices is to change the subject DN of the CA entity cert. >> You could try to add the authorityKeyIdentifier extension to the CRL if it's >> also present in the CA certs. This could work with some software. > X509v3 Authority Key Identifier: > keyid:56:4D:A9... > > But it doesn't work asis, issuing "signature verification error" in > apache error logs ... Glad you learned so soon that it's better to rework your re-newed sub-CA cert. ;-) Ciao, Michael. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
|
|
Re: Generic question on CRL use
by Patrick Patterson-3
::
Rate this Message:
On June 16, 2008 12:46:56 pm Gilles Cuesta wrote:
> 2008/6/16 Michael Ströder <michael@...>: > > Gilles Cuesta wrote: > >> So, at a time, we have 2 ClientCA with different key and different > >> validity period, but same DN. > > > > This is bad practice. Try searching for "CA key roll-over". > > I found docs about it, but proprietary PKI, and couldn't know if this > feature is implemented ... > and Stefan Santesson that goes into this. Short answer is - you can do what you want, but it's REALLY tricky, and Michael is right - best practice is to version your CA's. (so the current one is CA1, the next one is CA2, etc.) > >> The problem is, when verifying client cert work with both ClientCA > >> stacked; but when using CRL, old clients work only if CRL is signed by > >> old ClientCA. > > > > Well, you asked for trouble... > > > > You could try to add the authorityKeyIdentifier extension to the CRL if > > it's also present in the CA certs. This could work with some software. > > Here we are :D > certificate, the crlIssuer field of the CRL DP - problem is that 90% of the software out there (Apache included) won't deal with it. BTW: To handle the case that you are trying to do, there was a patch sent in by Erwann ABALEA from Keynectis to the OpenSSL Users mailing list in January/February this year, IIRC. Perhaps you could try that - you'd have to do some fairly exotic things to mod_ssl, mind you to get it to work :) I'm with Michael - stop using the same name each time. Version your CAs. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
| Free Forum Powered by Nabble | Forum Help |