Show Table of Contents
Chapter 8. Implementing a Certification Revocation List
A Certificate Revocation List (CRL) is a list of certificates that have been revoked and should not be relied on. This chapter shows you how to implement a CRL in a Red Hat Update Infrastructure environment using the openssl x509 certificates.
Procedure 8.1. Implementing a CRL list in a Red Hat Update Infrastructure environment
- Make a directory for a CRL:
# mkdir /etc/pki/pulp/content/crl
- Create an index file with the following command:
# touch /etc/pki/pulp/content/crl/index.txt
- Create a file for the CRL number. This file should contain the text
00only.# echo 00 > /etc/pki/pulp/content/crl/pulp_crl_number
- In
/etc/pulp/, create and write the following contents into acrl_openssl.conffile.cat <<EOF > crl_openssl.conf # OpenSSL configuration for CRL generation # #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] database = /etc/pki/pulp/content/crl/index.txt crlnumber = /etc/pki/pulp/content/crl/pulp_crl_number default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering #################################################################### [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always EOF
- Create the CRL file with the following command:
# openssl ca -gencrl -keyfile /home/example/ca.key -cert /home/example/ca.crt -out /etc/pki/pulp/content/crl/pulp_crl.pem -config /etc/pulp/crl_openssl.conf
Note
The CA cert and key are to be the same ones used to create the client entitlement RPMs.
Procedure 8.2. Revoking a certificate
- Revoke a certificate with the following command:
# openssl ca -revoke <Content certificate> -keyfile /home/example/ca.key -cert /home/example/ca.crt -config /etc/pulp/crl_openssl.conf
Example 8.1. Example Revoking Certificate
# openssl ca -revoke /tmp/dir/rhui-client.crt -keyfile /root/pem/ca.key -cert /root/pem/ca.crt -config /etc/pulp/crl_openssl.conf Using configuration from /etc/pulp/admin/crl_openssl.conf Adding Entry with serial number 0102 to DB for /CN=Red Hat Update Infrastructure Revoking Certificate 0102. Data Base Updated
- Regenerate the CRL list with the following command:
# openssl ca -gencrl -keyfile /home/example/ca.key -cert /home/example/ca.crt -out /etc/pki/pulp/content/crl/pulp_crl.pem -config /etc/pulp/crl_openssl.conf
- Test the CRL list with the following command:
# cat /home/example/ca.crt /etc/pki/pulp/content/crl/pulp_crl.pem > /tmp/test.pem
- Verify the CRL list with the following command:
# openssl verify -extended_crl -verbose -CAfile /tmp/test.pem -crl_check <Content certificate>
Note
Code #23 indicates the certificate has been revoked. For more error codes, refer to openssl.org. - In
/etc/pki/pulp/content, create the CRL hash with the following command:# ln -s crl/pulp_crl.pem `openssl crl -hash -noout -in crl/pulp_crl.pem`.r0
- Copy the CRL information to each CDS instance.
tar -cf - crl *.r0 | ssh root@fqdn_cds 'cd /etc/pki/pulp/content && tar -xvf -'
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.