CRL(Certificate revocation lists)
CRL是证书吊销列表, 用于验证数字证书有效性. 数据证书在有效期内是无法强制撤销的, 只能通过将它们添加到适当的CRL中来撤销它们。
可往CRL中添加中间或根证书,也可增加特指的某个X509证书
修改中间CA的配置文件
指定用于展示CRl的PEM文件的网址
[ server_cert ]
# ... snipped ...
crlDistributionPoints = URI:http://example.com/intermediate.crl.pem
使用中间CA为网站颁发服务器用的证书
openssl genrsa -aes256 \
-out intermediate/private/cute-kitten-pictures.example.com.key.pem 2048
chmod 400 intermediate/private/cute-kitten-pictures.example.com.key.pem
openssl req -config intermediate/openssl.cnf \
-key intermediate/private/cute-kitten-pictures.example.com.key.pem \
-new -sha256 -out intermediate/csr/cute-kitten-pictures.example.com.csr.pem
Enter pass phrase for cute-kitten-pictures.example.com.key.pem: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:US
State or Province Name []:California
Locality Name []:Mountain View
Organization Name []:Alice Ltd
Organizational Unit Name []:Alice Ltd Web Services
Common Name []:cute-kitten-pictures.example.com
Email Address []:
openssl ca -config intermediate/openssl.cnf \
-extensions server_cert -days 375 -notext -md sha256 \
-in intermediate/csr/cute-kitten-pictures.example.com.csr.pem \
-out intermediate/certs/cute-kitten-pictures.example.com.cert.pem
chmod 444 intermediate/certs/cute-kitten-pictures.example.com.cert.pem
查看服务器证书
openssl x509 -noout -text \
-in intermediate/certs/cute-kitten-pictures.example.com.cert.pem
包含了 crl的展示网址:
X509v3 CRL Distribution Points:
Full Name:
URI:http://example.com/intermediate.crl.pem
吊销证书
openssl ca -config intermediate/openssl.cnf \
-revoke intermediate/certs/bob@example.com.cert.pem
Enter pass phrase for intermediate.key.pem: secretpassword
Revoking Certificate 1001.
Data Base Updated
重新创建CRL证书
openssl ca -config intermediate/openssl.cnf \
-gencrl -out intermediate/crl/intermediate.crl.pem
往期精彩回顾:
-
区块链知识系列
-
密码学系列
-
零知识证明系列
-
共识系列
-
公链调研系列
-
比特币系列
-
以太坊系列
-
EOS系列
-
Filecoin系列
-
联盟链系列
-
Fabric系列
-
智能合约系列
-
Token系列
|