ssl openssl ssl-certificate verification certificate-revocation

Verify certificate chain against CRL with openssl

I'm trying to learn about certificate and CRL handling, so I created the following example certificate chain:

Root CA (self-signed) → Intermediate CA (signed by Root CA) → Server Cert (signed bei Intermediate CA)

Now I would like to test certificate revocation to be effective. To do so, I revoke the Server Cert and create a CRL file (of the Intermediate CA) accordingly. The X509v3 CRL Distribution Points are present in all of the certificate files, and they are accessible via http, like:

X509v3 CRL Distribution Points:
    Full Name:
      URI:http://127.0.0.1:80/intermediate_ca.crl

(Which is the CRL I just created. (The same for the Root CA CRL at http://127.0.0.1:80/ca.crl.) I double-checked they are really present and accessible at that URI.)

Next, I cat the Root CA pem file and the Intermediata CA pem file into CAChain.pem.

I'd like to have a command that receives the Server Cert and the CAChain.pem and "crawls up" the certificate chain in order verify it in total.

I tried going with

openssl verify -extended_crl -crl_check_all -crl_download -CAfile CAChain.pem -verbose serverCert.pem

but I just get:

Error loading CRL from http://127.0.0.1:80/ca.crl
140041593399104:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=404,Reason=Not Found
...
error 3 at 0 depth lookup: unable to get certificate CRL

Again, the CRL is really present at the URI denoted. That's why I can't explain the error 404. (Additionally it seems a little strange to me, that the error arises from an OSCP module as I'm just using CRL at the moment.)

I would highly appreciate if someone could tell me what my mistake is and how I can achieve what I originally intended (verifying the whole cert chain using the CRLs). Thanks in advance!

Solution

Indeed there were mainly two mistakes I had made:

The CRL file mandatorily has to be in DER format, which I did not know. (Conversion from the PEM format is simple: openssl crl -in ${crlFile}.pem -outform DER -out ${crlFile}).
Of course, a certicate's CRL distribution point has to be the one of its parent CA. (So, e. g. for my intermediate CA, it must be the one of the root CA.)

Keeping this in mind and also chaining the intermediate CA certs to the server certs, as dave_thompson_085s very helpful comments suggested, the original command

openssl verify -extended_crl -crl_check_all -crl_download -CAfile CAChain.pem -verbose serverCert.pem

works now.

I've created a gist of what I have done so far. It's still pretty ugly - I will tidy it up and also experiment with OCSP in the future.