Estou tentando fazer um exemplo funcionar com a CRL indireta. Mas quando eu tento verificar isso com o comando openssl verify, eu recebo "impossível obter o certificado CRL" ou "Diferente escopo da CRL".
A questão é:
A árvore PKI é assim:
ca | -------------------------------- | | | a-td b-td ta | | | client_cert server_cert crl
A idéia é que o TA atua como um emissor de LCR e cria uma LCR indireta para revogar certificados de clientes.
Para testar isso, eu uso a ferramenta de verificação openssl da seguinte forma:
openssl verify -crl_check \
-CAfile <(cat ca.pem b-td.pem) \
-untrusted <(cat ta.pem ta.crl) \
-extended_crl client1.pem
Que resulta em "não é possível obter o certificado CRL".
Quando adiciono a CRL à cadeia CAfile, recebo "Escopo da CRL diferente".
openssl verify -crl_check \
-CAfile <(cat ca.pem b-td.pem ta.pem ta.crl) \
-extended_crl client1.pem
Eu listo aqui também os detalhes do a-td.pem, ta.pem, client.pem e CRL.
# a-td.pem Certificate: Data: Version: 1 (0x0) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Test, OU=Test Certificate Authority, CN=Test Root C-TA Validity Not Before: Nov 29 16:07:40 2017 GMT Not After : Nov 29 16:07:40 2027 GMT Subject: C=US, O=Test, CN=Test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: 92:D9:C4:68:BF:EA:D7:41:64:C1:92:A3:00:A0:09:06:5F:B4:61:07
# ta.pem Certificate: Data: Version: 1 (0x0) Serial Number: 4 (0x4) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Test, OU=Test Certificate Authority, CN=Test Root C-TA Validity Not Before: Nov 29 16:45:03 2017 GMT Not After : Nov 29 16:45:03 2027 GMT Subject: C=US, O=Test, CN=Test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Subject Key Identifier: F1:FC:12:14:1E:93:D0:FA:9E:A6:01:D9:1D:33:BE:70:BD:79:80:FC X509v3 Subject Alternative Name: URI:http://localhost/crl/ta.crl X509v3 CRL Distribution Points: Full Name: URI:http://localhost/crl/ta.crl
# client.pem Certificate: Data: Version: 1 (0x0) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Test, CN=Test Validity Not Before: Nov 29 16:45:04 2017 GMT Not After : Nov 29 16:45:04 2019 GMT Subject: C=US, O=Test, CN=Test Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Subject Key Identifier: CB:CA:EA:1D:3D:A3:4E:D6:88:26:28:31:70:38:18:19:5C:8E:E0:B6
# ta.crl Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/O=Test/CN=Test Last Update: Nov 29 16:45:04 2017 GMT Next Update: Nov 30 16:45:04 2017 GMT CRL extensions: X509v3 Issuing Distrubution Point: critical Full Name: URI:http://localhost/crl/ta.crl Indirect CRL X509v3 CRL Number: 1 No Revoked Certificates.