Generic question on CRL use
This is a discussion on Generic question on CRL use within the Modssl Users forums, part of the Web Server and Related Forums category; Hi alls, new on the list, and not tricky question :D We use client certs authentication at our office, there ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-16-2008
|
|||
|
|||
Generic question on CRL use
Hi alls,
new on the list, and not tricky question :D We use client certs authentication at our office, there is a CA chain like this : BigCA (self signed) IntermediateCA (signed by BigCA) ServerCert (signed by IntermediateCA) used by Apache/modssl ClientCA (signed by IntermediateCA) many clients (signed by ClientCA) - ClientX have 1 year validity - ClientCA have 4 years validity, but replaced at half life (2 year) so ClientX signed by old ClientCA version remain valid until expiration. - CRL is signed by recent ClientCA So, at a time, we have 2 ClientCA with different key and different validity period, but same DN. The problem is, when verifying client cert work with both ClientCA stacked; but when using CRL, old clients work only if CRL is signed by old ClientCA. 1/ is it rfc compliant, and if not, why (reference ?). 2/ if this is rfc compliant, why does openssl does not handle this ? Thanks for all help you could provide. __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org 
|
|
06-16-2008
|
|||
|
|||
|
Re: Generic question on CRL use
Gilles Cuesta wrote:
> So, at a time, we have 2 ClientCA with different key and different > validity period, but same DN. This is bad practice. Try searching for "CA key roll-over". > The problem is, when verifying client cert work with both ClientCA > stacked; but when using CRL, old clients work only if CRL is signed by > old ClientCA. Well, you asked for trouble... You could try to add the authorityKeyIdentifier extension to the CRL if it's also present in the CA certs. This could work with some software. But my strong recommendation: Fix your 2nd ClientCA cert. Ciao, Michael. __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org
|
|
06-16-2008
|
|||
|
|||
|
Re: Generic question on CRL use
2008/6/16 Michael Ströder <michael@stroeder.com>:
> Gilles Cuesta wrote: >> >> So, at a time, we have 2 ClientCA with different key and different >> validity period, but same DN. > > This is bad practice. Try searching for "CA key roll-over". I found docs about it, but proprietary PKI, and couldn't know if this feature is implemented ... > >> The problem is, when verifying client cert work with both ClientCA >> stacked; but when using CRL, old clients work only if CRL is signed by >> old ClientCA. > > Well, you asked for trouble... > > You could try to add the authorityKeyIdentifier extension to the CRL if it's > also present in the CA certs. This could work with some software. > Here we are :D apache.crl Certificate Revocation List (CRL): Version 2 (0x1) .... X509v3 Authority Key Identifier: keyid:B8:85:B4... apache-caclient.cer Certificate: .... Validity Not Before: Feb 29 12:23:38 2007 GMT Not After : Feb 29 12:23:58 2011 GMT .... X509v3 Key Usage: critical Certificate Sign, CRL Sign .... X509v3 Subject Key Identifier: B8:85:B4... X509v3 Authority Key Identifier: keyid:56:4D:A9... apache-caclient-old.cer Certificate: .... Validity Not Before: May 18 14:35:12 2005 GMT Not After : May 18 14:35:12 2009 GMT .... X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign .... X509v3 Subject Key Identifier: 87:1D:FC... X509v3 Authority Key Identifier: keyid:56:4D:A9... But it doesn't work asis, issuing "signature verification error" in apache error logs ... Is there something to be modified in Apache/Modssl conf ? Thank you __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org
|
|
06-16-2008
|
|||
|
|||
|
Re: Generic question on CRL use
Gilles Cuesta wrote:
> 2008/6/16 Michael Ströder <michael@stroeder.com>: >> Gilles Cuesta wrote: >>> So, at a time, we have 2 ClientCA with different key and different >>> validity period, but same DN. >> This is bad practice. Try searching for "CA key roll-over". > > I found docs about it, but proprietary PKI, and couldn't know if this > feature is implemented ... It's not a "feature"! Pretty sure there are docs out there describing best practices when conducting a CA key roll-over. One of the best practices is to change the subject DN of the CA entity cert. >> You could try to add the authorityKeyIdentifier extension to the CRL if it's >> also present in the CA certs. This could work with some software. > X509v3 Authority Key Identifier: > keyid:56:4D:A9... > > But it doesn't work asis, issuing "signature verification error" in > apache error logs ... Glad you learned so soon that it's better to rework your re-newed sub-CA cert. ;-) Ciao, Michael. __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org
|
|
06-16-2008
|
|||
|
|||
|
Re: Generic question on CRL use
On June 16, 2008 12:46:56 pm Gilles Cuesta wrote:
> 2008/6/16 Michael Ströder <michael@stroeder.com>: > > Gilles Cuesta wrote: > >> So, at a time, we have 2 ClientCA with different key and different > >> validity period, but same DN. > > > > This is bad practice. Try searching for "CA key roll-over". > > I found docs about it, but proprietary PKI, and couldn't know if this > feature is implemented ... > Check the IETF PKIX mailing list. There is a thread there by Santosh Chokhani and Stefan Santesson that goes into this. Short answer is - you can do what you want, but it's REALLY tricky, and Michael is right - best practice is to version your CA's. (so the current one is CA1, the next one is CA2, etc.) > >> The problem is, when verifying client cert work with both ClientCA > >> stacked; but when using CRL, old clients work only if CRL is signed by > >> old ClientCA. > > > > Well, you asked for trouble... > > > > You could try to add the authorityKeyIdentifier extension to the CRL if > > it's also present in the CA certs. This could work with some software. > > Here we are :D > Ummm I think you mean that you want to have, in the CRL DP in the client certificate, the crlIssuer field of the CRL DP - problem is that 90% of the software out there (Apache included) won't deal with it. BTW: To handle the case that you are trying to do, there was a patch sent in by Erwann ABALEA from Keynectis to the OpenSSL Users mailing list in January/February this year, IIRC. Perhaps you could try that - you'd have to do some fairly exotic things to mod_ssl, mind you to get it to work :) I'm with Michael - stop using the same name each time. Version your CAs. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __________________________________________________ ____________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majordomo@modssl.org
|
Linear Mode
