August 12, 2005

Revoking X.509 certificates for fun and profit

I needed to find out how to revoke some of the certificates we’re using for our IPsec VPN. Turns out it’s pretty easy with openssl ca:

  1. Find certificate that you want to revoke. You have to have the certificate. When you use a setup akin to that used by the CA script that ships with OpenSSL, you should have a newcerts directory (i.e., demoCA/newcerts by default). index.txt holds information about which file in that directory corresponds to which certificate.
  2. Now that you’ve got the certificate file, openssl ca -config conf/openssl.cnf -revoke newcerts/XX.pem. newcerts/XX.pem is the certificate you want to revoke. If you have your own configuration file, specify it like above; otherwise, leave that parameter off. I find it useful to make my own configuration file to say where the CA root directory is located.
  3. I’m guessing that you can do the above for each certificate you want to revoke, and then…
  4. Generate the certificate revocation list (CRL) with openssl ca -config conf/openssl.cnf -gencrl -out crl.pem. Same instructions apply WRT -config. I’m pretty sure this CRL will contain information about every certificate you’ve ever revoked within this CA, not just the certificates you revoked in steps 2-3.

Now you’ve got a CRL in crl.pem. For FreeS/WAN and variants (search engine words: OpenSwan, strongSwan) toss crl.pem in /etc/ipsec.d/crls and ipsec auto --rereadcrls.

There is a CRL update date in each CRL. I’m not sure how important this is: will I get warnings that the CRL needs to be updated? Will the CRL actually stop working when it’s out of date? (That seems dumb, so lets hope that’s not the behavior: better to have stale revocations rather than forgetting about all revocations.)