Self-Signed Certificate with CRL DP? Is this even possible?
up vote
1
down vote
favorite
I'm use to creating self-signed certificates for local use via:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
Today after a long meeting I have been asked to create a standard self-signed certificate with a CLR Distribution point with no root ca. I always created certificates with a CRL DP based on CA. How would you generate a CRL after creating a self-signed certificate with no CA? Is this even possible?
openssl certificates
add a comment |
up vote
1
down vote
favorite
I'm use to creating self-signed certificates for local use via:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
Today after a long meeting I have been asked to create a standard self-signed certificate with a CLR Distribution point with no root ca. I always created certificates with a CRL DP based on CA. How would you generate a CRL after creating a self-signed certificate with no CA? Is this even possible?
openssl certificates
1
Certificates don't contain CRLs. They contain the address of a CRL distribution point. Or at least, that's what I've seen.
– AlexP
Nov 7 '17 at 22:35
1
Sorry, i meant the CRL Distribution point. I'm not even sure how you would add one to a self-signed cert nor create the CRL that would be at the DP. I'll update my question.
– user156514
Nov 7 '17 at 22:39
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I'm use to creating self-signed certificates for local use via:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
Today after a long meeting I have been asked to create a standard self-signed certificate with a CLR Distribution point with no root ca. I always created certificates with a CRL DP based on CA. How would you generate a CRL after creating a self-signed certificate with no CA? Is this even possible?
openssl certificates
I'm use to creating self-signed certificates for local use via:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
Today after a long meeting I have been asked to create a standard self-signed certificate with a CLR Distribution point with no root ca. I always created certificates with a CRL DP based on CA. How would you generate a CRL after creating a self-signed certificate with no CA? Is this even possible?
openssl certificates
openssl certificates
edited yesterday
Rui F Ribeiro
38.6k1479128
38.6k1479128
asked Nov 7 '17 at 22:28
user156514
133
133
1
Certificates don't contain CRLs. They contain the address of a CRL distribution point. Or at least, that's what I've seen.
– AlexP
Nov 7 '17 at 22:35
1
Sorry, i meant the CRL Distribution point. I'm not even sure how you would add one to a self-signed cert nor create the CRL that would be at the DP. I'll update my question.
– user156514
Nov 7 '17 at 22:39
add a comment |
1
Certificates don't contain CRLs. They contain the address of a CRL distribution point. Or at least, that's what I've seen.
– AlexP
Nov 7 '17 at 22:35
1
Sorry, i meant the CRL Distribution point. I'm not even sure how you would add one to a self-signed cert nor create the CRL that would be at the DP. I'll update my question.
– user156514
Nov 7 '17 at 22:39
1
1
Certificates don't contain CRLs. They contain the address of a CRL distribution point. Or at least, that's what I've seen.
– AlexP
Nov 7 '17 at 22:35
Certificates don't contain CRLs. They contain the address of a CRL distribution point. Or at least, that's what I've seen.
– AlexP
Nov 7 '17 at 22:35
1
1
Sorry, i meant the CRL Distribution point. I'm not even sure how you would add one to a self-signed cert nor create the CRL that would be at the DP. I'll update my question.
– user156514
Nov 7 '17 at 22:39
Sorry, i meant the CRL Distribution point. I'm not even sure how you would add one to a self-signed cert nor create the CRL that would be at the DP. I'll update my question.
– user156514
Nov 7 '17 at 22:39
add a comment |
1 Answer
1
active
oldest
votes
up vote
4
down vote
accepted
When signing your certificate, use the extfile
option, where you should specify a file containing something like the following:
crlDistributionPoints=URI:http://example.com/crl.pem
To get to that, instead of creating a certificate directly with openssl, create a csr (use the -new
option with openssl req
) and key, then generate the certificate following this example (using your own filenames and parameters, if desired):
openssl x509 -req -in cert.csr -out cert.pem -signkey key.pem -extfile crlfile.ext
You can verify the end result with:
openssl x509 -in cert.pem -noout -text
As a side note, this doesn't make sense to improve security. Such a CRL would need to be signed with the same key as the certificate, so that if the key is compromised, a new, clean, crl can be created and considered valid from the same compromised key.
To create a CRL with openssl you are supposed to use its CA functions, as described here. The difference would be that the CA key would be your cert key, and the revoked cert would be the certificate itself. As you can see, this was not supposed to work this way, even if you end up with a self signed certificate with a CDP, and a "valid" crl that is, actually, invalidating itself as by revoking the certificate that signed it.
1
You don't need to splitreq -new / x509 -req -signkey
to get extensions;req -new -x509
does extensions from a config section selected either on command line with-extensions
or in config file withx509_extensions=section
(whilex509 -req
has only command line not config file). (Note a CSR not cert created withreq -new (not -x509)
is slightly different.) Concur with main point CRLDP (also OCSP) for a root is useless.
– dave_thompson_085
Nov 8 '17 at 10:28
@Zip Thanks for the overview, same set up I was about to implement. The security issues I agree with, I can argue till I'm blue in the face with management and they do not see a problem. @ Dave_thomspon_085 I have never tried the cmd line options before. Thanks for the pointer.
– user156514
Nov 8 '17 at 16:44
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f403191%2fself-signed-certificate-with-crl-dp-is-this-even-possible%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
accepted
When signing your certificate, use the extfile
option, where you should specify a file containing something like the following:
crlDistributionPoints=URI:http://example.com/crl.pem
To get to that, instead of creating a certificate directly with openssl, create a csr (use the -new
option with openssl req
) and key, then generate the certificate following this example (using your own filenames and parameters, if desired):
openssl x509 -req -in cert.csr -out cert.pem -signkey key.pem -extfile crlfile.ext
You can verify the end result with:
openssl x509 -in cert.pem -noout -text
As a side note, this doesn't make sense to improve security. Such a CRL would need to be signed with the same key as the certificate, so that if the key is compromised, a new, clean, crl can be created and considered valid from the same compromised key.
To create a CRL with openssl you are supposed to use its CA functions, as described here. The difference would be that the CA key would be your cert key, and the revoked cert would be the certificate itself. As you can see, this was not supposed to work this way, even if you end up with a self signed certificate with a CDP, and a "valid" crl that is, actually, invalidating itself as by revoking the certificate that signed it.
1
You don't need to splitreq -new / x509 -req -signkey
to get extensions;req -new -x509
does extensions from a config section selected either on command line with-extensions
or in config file withx509_extensions=section
(whilex509 -req
has only command line not config file). (Note a CSR not cert created withreq -new (not -x509)
is slightly different.) Concur with main point CRLDP (also OCSP) for a root is useless.
– dave_thompson_085
Nov 8 '17 at 10:28
@Zip Thanks for the overview, same set up I was about to implement. The security issues I agree with, I can argue till I'm blue in the face with management and they do not see a problem. @ Dave_thomspon_085 I have never tried the cmd line options before. Thanks for the pointer.
– user156514
Nov 8 '17 at 16:44
add a comment |
up vote
4
down vote
accepted
When signing your certificate, use the extfile
option, where you should specify a file containing something like the following:
crlDistributionPoints=URI:http://example.com/crl.pem
To get to that, instead of creating a certificate directly with openssl, create a csr (use the -new
option with openssl req
) and key, then generate the certificate following this example (using your own filenames and parameters, if desired):
openssl x509 -req -in cert.csr -out cert.pem -signkey key.pem -extfile crlfile.ext
You can verify the end result with:
openssl x509 -in cert.pem -noout -text
As a side note, this doesn't make sense to improve security. Such a CRL would need to be signed with the same key as the certificate, so that if the key is compromised, a new, clean, crl can be created and considered valid from the same compromised key.
To create a CRL with openssl you are supposed to use its CA functions, as described here. The difference would be that the CA key would be your cert key, and the revoked cert would be the certificate itself. As you can see, this was not supposed to work this way, even if you end up with a self signed certificate with a CDP, and a "valid" crl that is, actually, invalidating itself as by revoking the certificate that signed it.
1
You don't need to splitreq -new / x509 -req -signkey
to get extensions;req -new -x509
does extensions from a config section selected either on command line with-extensions
or in config file withx509_extensions=section
(whilex509 -req
has only command line not config file). (Note a CSR not cert created withreq -new (not -x509)
is slightly different.) Concur with main point CRLDP (also OCSP) for a root is useless.
– dave_thompson_085
Nov 8 '17 at 10:28
@Zip Thanks for the overview, same set up I was about to implement. The security issues I agree with, I can argue till I'm blue in the face with management and they do not see a problem. @ Dave_thomspon_085 I have never tried the cmd line options before. Thanks for the pointer.
– user156514
Nov 8 '17 at 16:44
add a comment |
up vote
4
down vote
accepted
up vote
4
down vote
accepted
When signing your certificate, use the extfile
option, where you should specify a file containing something like the following:
crlDistributionPoints=URI:http://example.com/crl.pem
To get to that, instead of creating a certificate directly with openssl, create a csr (use the -new
option with openssl req
) and key, then generate the certificate following this example (using your own filenames and parameters, if desired):
openssl x509 -req -in cert.csr -out cert.pem -signkey key.pem -extfile crlfile.ext
You can verify the end result with:
openssl x509 -in cert.pem -noout -text
As a side note, this doesn't make sense to improve security. Such a CRL would need to be signed with the same key as the certificate, so that if the key is compromised, a new, clean, crl can be created and considered valid from the same compromised key.
To create a CRL with openssl you are supposed to use its CA functions, as described here. The difference would be that the CA key would be your cert key, and the revoked cert would be the certificate itself. As you can see, this was not supposed to work this way, even if you end up with a self signed certificate with a CDP, and a "valid" crl that is, actually, invalidating itself as by revoking the certificate that signed it.
When signing your certificate, use the extfile
option, where you should specify a file containing something like the following:
crlDistributionPoints=URI:http://example.com/crl.pem
To get to that, instead of creating a certificate directly with openssl, create a csr (use the -new
option with openssl req
) and key, then generate the certificate following this example (using your own filenames and parameters, if desired):
openssl x509 -req -in cert.csr -out cert.pem -signkey key.pem -extfile crlfile.ext
You can verify the end result with:
openssl x509 -in cert.pem -noout -text
As a side note, this doesn't make sense to improve security. Such a CRL would need to be signed with the same key as the certificate, so that if the key is compromised, a new, clean, crl can be created and considered valid from the same compromised key.
To create a CRL with openssl you are supposed to use its CA functions, as described here. The difference would be that the CA key would be your cert key, and the revoked cert would be the certificate itself. As you can see, this was not supposed to work this way, even if you end up with a self signed certificate with a CDP, and a "valid" crl that is, actually, invalidating itself as by revoking the certificate that signed it.
edited Nov 8 '17 at 2:53
answered Nov 8 '17 at 1:12
Zip
54628
54628
1
You don't need to splitreq -new / x509 -req -signkey
to get extensions;req -new -x509
does extensions from a config section selected either on command line with-extensions
or in config file withx509_extensions=section
(whilex509 -req
has only command line not config file). (Note a CSR not cert created withreq -new (not -x509)
is slightly different.) Concur with main point CRLDP (also OCSP) for a root is useless.
– dave_thompson_085
Nov 8 '17 at 10:28
@Zip Thanks for the overview, same set up I was about to implement. The security issues I agree with, I can argue till I'm blue in the face with management and they do not see a problem. @ Dave_thomspon_085 I have never tried the cmd line options before. Thanks for the pointer.
– user156514
Nov 8 '17 at 16:44
add a comment |
1
You don't need to splitreq -new / x509 -req -signkey
to get extensions;req -new -x509
does extensions from a config section selected either on command line with-extensions
or in config file withx509_extensions=section
(whilex509 -req
has only command line not config file). (Note a CSR not cert created withreq -new (not -x509)
is slightly different.) Concur with main point CRLDP (also OCSP) for a root is useless.
– dave_thompson_085
Nov 8 '17 at 10:28
@Zip Thanks for the overview, same set up I was about to implement. The security issues I agree with, I can argue till I'm blue in the face with management and they do not see a problem. @ Dave_thomspon_085 I have never tried the cmd line options before. Thanks for the pointer.
– user156514
Nov 8 '17 at 16:44
1
1
You don't need to split
req -new / x509 -req -signkey
to get extensions; req -new -x509
does extensions from a config section selected either on command line with -extensions
or in config file with x509_extensions=section
(while x509 -req
has only command line not config file). (Note a CSR not cert created with req -new (not -x509)
is slightly different.) Concur with main point CRLDP (also OCSP) for a root is useless.– dave_thompson_085
Nov 8 '17 at 10:28
You don't need to split
req -new / x509 -req -signkey
to get extensions; req -new -x509
does extensions from a config section selected either on command line with -extensions
or in config file with x509_extensions=section
(while x509 -req
has only command line not config file). (Note a CSR not cert created with req -new (not -x509)
is slightly different.) Concur with main point CRLDP (also OCSP) for a root is useless.– dave_thompson_085
Nov 8 '17 at 10:28
@Zip Thanks for the overview, same set up I was about to implement. The security issues I agree with, I can argue till I'm blue in the face with management and they do not see a problem. @ Dave_thomspon_085 I have never tried the cmd line options before. Thanks for the pointer.
– user156514
Nov 8 '17 at 16:44
@Zip Thanks for the overview, same set up I was about to implement. The security issues I agree with, I can argue till I'm blue in the face with management and they do not see a problem. @ Dave_thomspon_085 I have never tried the cmd line options before. Thanks for the pointer.
– user156514
Nov 8 '17 at 16:44
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f403191%2fself-signed-certificate-with-crl-dp-is-this-even-possible%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Certificates don't contain CRLs. They contain the address of a CRL distribution point. Or at least, that's what I've seen.
– AlexP
Nov 7 '17 at 22:35
1
Sorry, i meant the CRL Distribution point. I'm not even sure how you would add one to a self-signed cert nor create the CRL that would be at the DP. I'll update my question.
– user156514
Nov 7 '17 at 22:39