Join Sean Colins for an in-depth discussion in this video Setting up a certificate-revocation list, part of Understanding Secure Sockets Layer.
- In the last movie I showed you how to revoke a certificate. Next we need to see how to set up a certificate revocation list, so that you've got that documented within your certificate authority. To do that we need to create a couple more directories, but I want to show you why. So we're going to cd into ... And you'll notice I'm already in a sudo session so remember you've got to be in there, but we're going to cd into my OpenSSL directory because in here I've got my openssl.cmf file and I want to show you something else in here that I didn't mention originally when we were first talking about how to configure it for certificates.
There's some additional stuff I wanna show you that needs to be configured to do the crl and I just wanted to point those out in here. The first thing is the crl directory right here needs to be created, so we need to create a file called crl or a folder called crl in the same directory where the certs directory is and where new_certs is, etc. We also need to create a crl number in here and the crl.pem, the current crl, will be located in the root directory right along side of everything else in the groundswell directory because we've dictated that that's gonna be up here.
Now if we want to avoid a bug where certain browser clients can crash, admittedly, older ones, but still it's possible. I'd like you to comment out the one that says crlnumber. So we're going to comment that out and we're going to write this out remembering that we need to create the directory called crl, as you see it right there. So we're gonna type mkdir, and because we're already cd'd into the OpenSSL directory ... Actually, I'm going to cd into groundswell and then I'm going to mkdir my crl directory.
So there is crl right there, right next to certs and private and new_certs just as it should be. Let me clear that out so we got a nice clean screen to look at and we'll move onto the next command here. So the first thing I'm going to cd back so that my working directory is the OpenSSL directory. I want to be at that level. So what have I done here? Openssl command with the certificate authority and we're configuring using the configuration file openssl.cmf and notice I didn't precede this with a directory.
That's why I wanted to be in the pwd out to this directory because that's where that file is. Generate a crl and the file that we're gonna send out is gonna be the groundswell directory in the crl directory in a file called crl.pem. It's gonna ask us for the pass phrase for our cakey and it just exits with no output. If you got any kind of other output with errors or anything else, double check that you were in the right directory, that you added the openssl.cmf file like we told you to, all of that stuff. The directory is actually created in the file system.
There's a whole bunch of things that could go wrong there that you can avoid by just doing exactly what I did and there we are. So what we've just done is we've created crl file and now we have published that information. Next, we're gonna move onto the next step, which will be the renewal of our certificate.
- SSL communications
- Certificate authorities
- Public key infrastructures
- Symmetric and asymmetric key pairs
- Cryptographic hash functions
- Encryption algorithms
Start now, and by the end of this course you'll have the knowledge to create SSL certificates, as well as revoke and renew them, from the command line.