联盟链系列 - 用Openssl管理CRL
Posted 搬砖魁首
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了联盟链系列 - 用Openssl管理CRL相关的知识,希望对你有一定的参考价值。
CRL(Certificate revocation lists)
CRL是证书吊销列表, 用于验证数字证书有效性. 数据证书在有效期内是无法强制撤销的, 只能通过将它们添加到适当的CRL中来撤销它们。
可往CRL中添加中间或根证书,也可增加特指的某个X509证书
修改中间CA的配置文件
指定用于展示CRl的PEM文件的网址
[ server_cert ]
# ... snipped ...
crlDistributionPoints = URI:http://example.com/intermediate.crl.pem
使用中间CA为网站颁发服务器用的证书
#cd /root/ca
openssl genrsa -aes256 \\
-out intermediate/private/cute-kitten-pictures.example.com.key.pem 2048
chmod 400 intermediate/private/cute-kitten-pictures.example.com.key.pem
#cd /root/ca
openssl req -config intermediate/openssl.cnf \\
-key intermediate/private/cute-kitten-pictures.example.com.key.pem \\
-new -sha256 -out intermediate/csr/cute-kitten-pictures.example.com.csr.pem
Enter pass phrase for cute-kitten-pictures.example.com.key.pem: secretpassword
You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [XX]:US
State or Province Name []:California
Locality Name []:Mountain View
Organization Name []:Alice Ltd
Organizational Unit Name []:Alice Ltd Web Services
Common Name []:cute-kitten-pictures.example.com
Email Address []:
#cd /root/ca
openssl ca -config intermediate/openssl.cnf \\
-extensions server_cert -days 375 -notext -md sha256 \\
-in intermediate/csr/cute-kitten-pictures.example.com.csr.pem \\
-out intermediate/certs/cute-kitten-pictures.example.com.cert.pem
chmod 444 intermediate/certs/cute-kitten-pictures.example.com.cert.pem
查看服务器证书
openssl x509 -noout -text \\
-in intermediate/certs/cute-kitten-pictures.example.com.cert.pem
包含了 crl的展示网址:
X509v3 CRL Distribution Points:
Full Name:
URI:http://example.com/intermediate.crl.pem
吊销证书
openssl ca -config intermediate/openssl.cnf \\
-revoke intermediate/certs/bob@example.com.cert.pem
Enter pass phrase for intermediate.key.pem: secretpassword
Revoking Certificate 1001.
Data Base Updated
重新创建CRL证书
openssl ca -config intermediate/openssl.cnf \\
-gencrl -out intermediate/crl/intermediate.crl.pem
以上是关于联盟链系列 - 用Openssl管理CRL的主要内容,如果未能解决你的问题,请参考以下文章