Here is a variant to my “Howto: Make Your Own Cert With OpenSSL” method. This time, I needed a signing cert with a Certificate Revocation List (CRL) extension and an (empty) CRL. I used instructions from this post.
Adding a CRL extension to a certificate is not difficult, you just need to include a configuration file with one line. But creating a CRL file requires more steps, that’s why I needed this howto. The start of this howto is the same as my previous howto.
First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key:
openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus ...................................................................................++ ........................................................................++ e is 65537 (0x10001)
If you want to password-protect this key, add option -des3.
Next, we create our self-signed root CA certificate ca.crt; you’ll need to provide an identity for your root CA:
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:BE State or Province Name (full name) []:Brussels Locality Name (eg, city) [Default City]:Brussels Organization Name (eg, company) [Default Company Ltd]:Didier Stevens Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Didier Stevens CA Email Address []:
The -x509 option is used for a self-signed certificate. 1826 days gives us a cert valid for 5 years.
Next step: create our subordinate CA that will be used for the actual signing. First, generate the key:
openssl genrsa -out ia.key 4096
Generating RSA private key, 4096 bit long modulus .....++ .............................................................................++ e is 65537 (0x10001)
Then, request a certificate for this subordinate CA:
openssl req -new -key ia.key -out ia.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:BE State or Province Name (full name) []:Brussels Locality Name (eg, city) [Default City]:Brussels Organization Name (eg, company) [Default Company Ltd]:Didier Stevens Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Didier Stevens IA Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Make sure the Common Name is different for both certs, otherwise you’ll get an error. Now, before we process the request for the subordinate CA certificate and get it signed by the root CA, we need to create a couple of files (this step is done with Linux; to create empty file certindex on Windows, you could use Notepad in stead of touch).
touch certindex echo 01 > certserial echo 01 > crlnumber
And also create this configuration file (ca.conf):
# Mainly copied from: # http://swearingscience.com/2009/01/18/openssl-self-signed-ca/ [ ca ] default_ca = myca [ crl_ext ] # issuerAltName=issuer:copy #this would copy the issuer name to altname authorityKeyIdentifier=keyid:always [ myca ] dir = ./ new_certs_dir = $dir unique_subject = no certificate = $dir/ca.crt database = $dir/certindex private_key = $dir/ca.key serial = $dir/certserial default_days = 730 default_md = sha1 policy = myca_policy x509_extensions = myca_extensions crlnumber = $dir/crlnumber default_crl_days = 730 [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = optional emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth crlDistributionPoints = URI:http://example.com/root.crl subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = *.example.com
Notice the crlDistributionPoints and DNS. entries pointing to domain example.com. You should change them to your domain.
Now you can sign the request:
openssl ca -batch -config ca.conf -notext -in ia.csr -out ia.crt
Using configuration from ca.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName : PRINTABLE:'BE' stateOrProvinceName :ASN.1 12:'Brussels' localityName :ASN.1 12:'Brussels' organizationName :ASN.1 12:'Didier Stevens' commonName :ASN.1 12:'Didier Stevens IA' Certificate is to be certified until May 3 21:13:02 2015 GMT (730 days) Write out database with 1 new entries Data Base Updated
To use this subordinate CA key for Authenticode signatures with Microsoft’s signtool, you’ll have to package the keys and certs in a PKCS12 file:
openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt
Enter Export Password: Verifying - Enter Export Password:
Finally, you can generate the empty CRL file:
openssl ca -config ca.conf -gencrl -keyfile ca.key -cert ca.crt -out root.crl.pem
openssl crl -inform PEM -in root.crl.pem -outform DER -out root.crl
rm root.crl.pem
rm is a Linux command, use del on a Windows machine.
The last step is to host this root.crl file on the webserver pointed to in the CRL extension (http://example.com/root.crl in this example).
If you need to revoke the intermediate certificate, use this command:
openssl ca -config ca.conf -revoke ia.crt -keyfile ca.key -cert ca.crt
And then regenerate the CRL file like explained above.
Didier Stevens 
[…] before it retrieves a URL when a PDF document contains an action to do so. But what about the Certificate Revocation List in a signed PDF […]
Pingback by Adobe Reader and CRLs | Didier Stevens — Monday 13 May 2013 @ 18:08
Certificate Authority setup: Doing it right with OpenSSL
In my previous post about securing HTTP-connections HTTP Secure: Is Internet really broken? I was speculating about the current state of encryption security in web applications. This article is about how to actually implement a CA in detail and the req…
Trackback by Hacker's ramblings — Friday 27 December 2013 @ 10:56
trying to sign a csr with self signed CA generated using steps above. Keep getting this error
#########################################
Using configuration from ca.conf
unable to load certificate
140697290684224:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
######################################################################################################
ca.conf is pointing to the correct self signed ca cert
cat ca.conf | grep cert
certificate = $dir/ca.pem
ls -l | grep ca
ca.key
ca.pem
Am i missing anything here ?
Comment by Anonymous — Thursday 21 January 2016 @ 22:28
looks like your ca.pem is not using the pem file format. do a cat to check the file.
Comment by Didier Stevens — Thursday 21 January 2016 @ 23:29
[…] then need to add revocation here and […]
Pingback by Octopi behind proxy and credentials – Darkink — Monday 20 November 2017 @ 17:56
before i revoke it, i checked it if it will be https:// but it says not secure NET:ERR_CERT_AUTHORITY_INVALID
Comment by chris — Saturday 8 September 2018 @ 14:19
I’m getting
Error checking certificate extension config section ca_extensions
Any ideas?
Comment by Anonymous — Tuesday 7 November 2023 @ 13:37
Here is an updated howto:
Comment by Didier Stevens — Tuesday 7 November 2023 @ 15:29