I'm trying to learn about certificate and CRL handling, so I created the following example certificate chain:
Root CA (self-signed) → Intermediate CA (signed by Root CA) → Server Cert (signed bei Intermediate CA)
Now I would like to test certificate revocation to be effective. To do so, I revoke the Server Cert and create a CRL file (of the Intermediate CA) accordingly. The X509v3 CRL Distribution Points are present in all of the certificate files, and they are accessible via http, like:
X509v3 CRL Distribution Points:
Full Name:
URI:http://127.0.0.1:80/intermediate_ca.crl
(Which is the CRL I just created. (The same for the Root CA CRL at http://127.0.0.1:80/ca.crl.) I double-checked they are really present and accessible at that URI.)
Next, I cat
the Root CA pem
file and the Intermediata CA pem
file into CAChain.pem
.
I'd like to have a command that receives the Server Cert and the CAChain.pem
and "crawls up" the certificate chain in order verify it in total.
I tried going with
openssl verify -extended_crl -crl_check_all -crl_download -CAfile CAChain.pem -verbose serverCert.pem
but I just get:
Error loading CRL from http://127.0.0.1:80/ca.crl
140041593399104:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=404,Reason=Not Found
...
error 3 at 0 depth lookup: unable to get certificate CRL
Again, the CRL is really present at the URI denoted. That's why I can't explain the error 404. (Additionally it seems a little strange to me, that the error arises from an OSCP module as I'm just using CRL at the moment.)
I would highly appreciate if someone could tell me what my mistake is and how I can achieve what I originally intended (verifying the whole cert chain using the CRLs). Thanks in advance!
Indeed there were mainly two mistakes I had made:
openssl crl -in ${crlFile}.pem -outform DER -out ${crlFile}
).Keeping this in mind and also chaining the intermediate CA certs to the server certs, as dave_thompson_085s very helpful comments suggested, the original command
openssl verify -extended_crl -crl_check_all -crl_download -CAfile CAChain.pem -verbose serverCert.pem
works now.
I've created a gist of what I have done so far. It's still pretty ugly - I will tidy it up and also experiment with OCSP in the future.