sslopensslssl-certificateverificationcertificate-revocation

Verify certificate chain against CRL with openssl


I'm trying to learn about certificate and CRL handling, so I created the following example certificate chain:

Root CA (self-signed) → Intermediate CA (signed by Root CA) → Server Cert (signed bei Intermediate CA)

Now I would like to test certificate revocation to be effective. To do so, I revoke the Server Cert and create a CRL file (of the Intermediate CA) accordingly. The X509v3 CRL Distribution Points are present in all of the certificate files, and they are accessible via http, like:

X509v3 CRL Distribution Points:
    Full Name:
      URI:http://127.0.0.1:80/intermediate_ca.crl

(Which is the CRL I just created. (The same for the Root CA CRL at http://127.0.0.1:80/ca.crl.) I double-checked they are really present and accessible at that URI.)

Next, I cat the Root CA pem file and the Intermediata CA pem file into CAChain.pem.

I'd like to have a command that receives the Server Cert and the CAChain.pem and "crawls up" the certificate chain in order verify it in total.

I tried going with

openssl verify -extended_crl -crl_check_all -crl_download -CAfile CAChain.pem -verbose serverCert.pem

but I just get:

Error loading CRL from http://127.0.0.1:80/ca.crl
140041593399104:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=404,Reason=Not Found
...
error 3 at 0 depth lookup: unable to get certificate CRL

Again, the CRL is really present at the URI denoted. That's why I can't explain the error 404. (Additionally it seems a little strange to me, that the error arises from an OSCP module as I'm just using CRL at the moment.)

I would highly appreciate if someone could tell me what my mistake is and how I can achieve what I originally intended (verifying the whole cert chain using the CRLs). Thanks in advance!


Solution

  • Indeed there were mainly two mistakes I had made:

    Keeping this in mind and also chaining the intermediate CA certs to the server certs, as dave_thompson_085s very helpful comments suggested, the original command

    openssl verify -extended_crl -crl_check_all -crl_download -CAfile CAChain.pem -verbose serverCert.pem
    

    works now.

    I've created a gist of what I have done so far. It's still pretty ugly - I will tidy it up and also experiment with OCSP in the future.