Crlnumber

 admin
Skip to main content

OpenSSL command line Root and Intermediate CA including OCSP, CRL and revocation

Published: 03-03-2015 Last update: 17-12-2018 Author: Remy van Elst Text only version of this article

Mar 03, 2015 touch certindex echo 1000 certserial echo 1000 crlnumber Place the CA config file. This file has stubs for CRL and OCSP endpoints. # vim ca.conf ca defaultca.


Configuring CRL number. The following parameter can be added into pkispawn config file: CA pkicastartingcrlnumber=4000 Here 4000 is just an example. If this is set, after CA installation, the value of 'crlNumber' in the db will be set to '4000' as selected instead of 1. If there is no setting made, the current default behavior will happen. Reference article for the certutil command, which is a command-line program that dumps and displays certification authority (CA) configuration information, configures Certificate Services, backup and restore CA components, and verifies certificates, key pairs, and certificate chains. CRL is your complete supplier for all things glass. With over 10,000 products we offer you everything you need for your daily work. High availability and fast delivery usually the next day are our requirements.

❗ This post is over two years old. It may no longer be up to date. Opinions may have changed.

Table of Contents

These are quick and dirty notes on generating a certificate authority (CA),intermediate certificate authorities and end certificates using OpenSSL. Itincludes OCSP, CRL and CA Issuer information and specific issue and expirydates.

We'll set up our own root CA. We'll use the root CA to generate an exampleintermediate CA. We'll use the intermediate CA to sign end user certificates.

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

  • 31-03-2015: initial article
  • 17-12-2018: update to fix a few command / file paths

Root CA

Create and move in to a folder for the root ca:

Generate a 8192-bit long SHA-256 RSA key for our root CA:

Crlumber xenia ohio

Example output:

If you want to password-protect this key, add the option -aes256.

Create the self-signed root CA certificate ca.crt; you'll need to provide anidentity for your root CA:

Example output:

Create a few files where the CA will store it's serials:

Place the CA config file. This file has stubs for CRL and OCSP endpoints.

If you need to set a specific certificate start / expiry date, add the followingto [myca]

Creating Intermediate 1 CA

Generate the intermediate CA's private key:

Generate the intermediate1 CA's CSR:

Example output:

Make sure the subject (CN) of the intermediate is different from the root.

Sign the intermediate1 CSR with the Root CA:

Example Output:

Generate the CRL (both in PEM and DER):

Generate the CRL after every certificate you sign with the CA.

If you ever need to revoke the this intermediate cert:

Configuring the Intermediate CA 1

Create a new folder for this intermediate and move in to it:

Copy the Intermediate cert and key from the Root CA:

Create the index files:

Create a new ca.conf file:

Change the [alt_names] section to whatever you need as Subject Alternativenames. Remove it including the subjectAltName = @alt_names line if you don'twant a Subject Alternative Name.

Crl Phone Number

If you need to set a specific certificate start / expiry date, add the followingto [myca]

Generate an empty CRL (both in PEM and DER):

If you get an error here about openssl not able to find a file(certindex.attr), that can happen. We'll retry these commands after you'vesigned your first end user certiicate.

Crlnumber

Creating end user certificates

We use this new intermediate CA to generate an end user certificate. Repeatthese steps for every end user certificate you want to sign with this CA.

Generate the end user's private key:

Generate the end user's CSR:

Example output:

Sign the end user's CSR with the Intermediate 1 CA:

Example output:

Crlnumber

Generate the CRL (both in PEM and DER):

Generate the CRL after every certificate you sign with the CA.

If you ever need to revoke the this end users cert:

Example output:

Create the certificate chain file by concatenating the Root and intermediate 1certificates together.

Crl Contact Number

Send the following files to the end user:

You can also let the end user supply their own CSR and just send them the .crtfile. Do not delete that from the server, otherwise you cannot revoke it.

Validating the certificate

You can validate the end user certificate against the chain using the followingcommand:

You can also validate it against the CRL. Concatenate the PEM CRL and the chaintogether first:

Crlumber Xenia Ohio

Verify the certificate:

Curl Number

Output when not revoked:

Output when revoked:

Tags: ca, certificate, crl, ocsp, openssl, pki, revocation, ssl, tls, tutorials

Crl La