Chapter 8. Implementing a Certification Revocation List

A Certificate Revocation List (CRL) is a list of certificates that have been revoked and should not be relied on. This chapter shows you how to implement a CRL in a Red Hat Update Infrastructure environment using the openssl x509 certificates.

Procedure 8.1. Implementing a CRL list in a Red Hat Update Infrastructure environment

  1. Make a directory for a CRL:
    # mkdir /etc/pki/pulp/content/crl
    
  2. Create an index file with the following command:
    # touch /etc/pki/pulp/content/crl/index.txt
  3. Create a file for the CRL number. This file should contain the text 00 only.
    # echo 00 > /etc/pki/pulp/content/crl/pulp_crl_number
  4. In /etc/pulp/, create and write the following contents into a crl_openssl.conf file.
    cat <<EOF > crl_openssl.conf
    # OpenSSL configuration for CRL generation
    #
    ####################################################################
    [ ca ]
    default_ca	= CA_default		# The default ca section
    
    ####################################################################
    [ CA_default ]
    database = /etc/pki/pulp/content/crl/index.txt
    crlnumber = /etc/pki/pulp/content/crl/pulp_crl_number
    
    
    default_days	= 365			# how long to certify for
    default_crl_days= 30			# how long before next CRL
    default_md	= default		# use public key default MD
    preserve	= no			# keep passed DN ordering
    
    ####################################################################
    [ crl_ext ]
    # CRL extensions.
    # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    # issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always,issuer:always
    EOF
    
  5. Create the CRL file with the following command:
    # openssl ca -gencrl -keyfile /home/example/ca.key -cert /home/example/ca.crt -out /etc/pki/pulp/content/crl/pulp_crl.pem -config /etc/pulp/crl_openssl.conf

    Note

    The CA cert and key are to be the same ones used to create the client entitlement RPMs.

Procedure 8.2. Revoking a certificate

  1. Revoke a certificate with the following command:
    # openssl ca -revoke <Content certificate> -keyfile /home/example/ca.key -cert /home/example/ca.crt -config /etc/pulp/crl_openssl.conf

    Example 8.1. Example Revoking Certificate

    # openssl ca -revoke /tmp/dir/rhui-client.crt -keyfile /root/pem/ca.key -cert /root/pem/ca.crt -config /etc/pulp/crl_openssl.conf 
    Using configuration from /etc/pulp/admin/crl_openssl.conf
    Adding Entry with serial number 0102 to DB for /CN=Red Hat Update Infrastructure
    Revoking Certificate 0102.
    Data Base Updated
    
  2. Regenerate the CRL list with the following command:
    # openssl ca -gencrl -keyfile /home/example/ca.key -cert /home/example/ca.crt -out /etc/pki/pulp/content/crl/pulp_crl.pem -config /etc/pulp/crl_openssl.conf
  3. Test the CRL list with the following command:
    # cat /home/example/ca.crt /etc/pki/pulp/content/crl/pulp_crl.pem > /tmp/test.pem
  4. Verify the CRL list with the following command:
    # openssl verify -extended_crl -verbose -CAfile /tmp/test.pem -crl_check <Content certificate>

    Note

    Code #23 indicates the certificate has been revoked. For more error codes, refer to openssl.org.
  5. In /etc/pki/pulp/content, create the CRL hash with the following command:
    # ln -s crl/pulp_crl.pem `openssl crl -hash -noout -in crl/pulp_crl.pem`.r0
    
  6. Copy the CRL information to each CDS instance.
    tar -cf - crl *.r0 | ssh root@fqdn_cds 'cd /etc/pki/pulp/content && tar -xvf -'