[opensuse] Adding a CRL
I followed this openSUSE specific blog entry to install my CA certificate and CRL system-wide: https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-certificate-i... But unfortunately my CRL is still not found by openssl. Any ideas? # ls -l /etc/pki/trust/anchors total 8 -rw-r--r-- 1 root root 690 Oct 18 13:34 MY-CA.crl -rw-r--r-- 1 root root 1424 Oct 18 13:34 MY-CA.crt # egrep '(BEGIN|END)' /etc/pki/trust/anchors/MY-CA.crt /etc/pki/trust/anchors/MY-CA.crl /etc/pki/trust/anchors/MY-CA.crt:-----BEGIN CERTIFICATE----- /etc/pki/trust/anchors/MY-CA.crt:-----END CERTIFICATE----- /etc/pki/trust/anchors/MY-CA.crl:-----BEGIN X509 CRL----- /etc/pki/trust/anchors/MY-CA.crl:-----END X509 CRL----- # openssl crl -noout -hash -in /etc/pki/trust/anchors/MY-CA.crl 49742892 # ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates # openssl verify -crl_check_all /etc/pki/trust/anchors/MY-CA.crt /etc/pki/trust/anchors/MY-CA.crt: CN = My CA error 3 at 0 depth lookup:unable to get certificate CRL Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
18.10.2016 14:41, Bjoern Voigt пишет:
I followed this openSUSE specific blog entry to install my CA certificate and CRL system-wide: https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-certificate-i...
But unfortunately my CRL is still not found by openssl. Any ideas?
# ls -l /etc/pki/trust/anchors total 8 -rw-r--r-- 1 root root 690 Oct 18 13:34 MY-CA.crl -rw-r--r-- 1 root root 1424 Oct 18 13:34 MY-CA.crt # egrep '(BEGIN|END)' /etc/pki/trust/anchors/MY-CA.crt /etc/pki/trust/anchors/MY-CA.crl /etc/pki/trust/anchors/MY-CA.crt:-----BEGIN CERTIFICATE----- /etc/pki/trust/anchors/MY-CA.crt:-----END CERTIFICATE----- /etc/pki/trust/anchors/MY-CA.crl:-----BEGIN X509 CRL----- /etc/pki/trust/anchors/MY-CA.crl:-----END X509 CRL----- # openssl crl -noout -hash -in /etc/pki/trust/anchors/MY-CA.crl 49742892 # ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates # openssl verify -crl_check_all /etc/pki/trust/anchors/MY-CA.crt /etc/pki/trust/anchors/MY-CA.crt: CN = My CA
Is MY-CA.crt self-signed? What openssl x509 -issuer_hash -noout -in /etc/pki/trust/anchors/MY-CA.crt says?
error 3 at 0 depth lookup:unable to get certificate CRL
Greetings, Björn
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
18.10.2016 14:41, Bjoern Voigt пишет:
I followed this openSUSE specific blog entry to install my CA certificate and CRL system-wide: https://blog.hqcodeshop.fi/archives/157-Installing-own-CA-root-certificate-i...
But unfortunately my CRL is still not found by openssl. Any ideas?
# ls -l /etc/pki/trust/anchors total 8 -rw-r--r-- 1 root root 690 Oct 18 13:34 MY-CA.crl -rw-r--r-- 1 root root 1424 Oct 18 13:34 MY-CA.crt # egrep '(BEGIN|END)' /etc/pki/trust/anchors/MY-CA.crt /etc/pki/trust/anchors/MY-CA.crl /etc/pki/trust/anchors/MY-CA.crt:-----BEGIN CERTIFICATE----- /etc/pki/trust/anchors/MY-CA.crt:-----END CERTIFICATE----- /etc/pki/trust/anchors/MY-CA.crl:-----BEGIN X509 CRL----- /etc/pki/trust/anchors/MY-CA.crl:-----END X509 CRL----- # openssl crl -noout -hash -in /etc/pki/trust/anchors/MY-CA.crl 49742892 # ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates # openssl verify -crl_check_all /etc/pki/trust/anchors/MY-CA.crt /etc/pki/trust/anchors/MY-CA.crt: CN = My CA Is MY-CA.crt self-signed? Yes, it is a root certificate, made with easyrsa3.
What
openssl x509 -issuer_hash -noout -in /etc/pki/trust/anchors/MY-CA.crt
says? # openssl x509 -issuer_hash -noout -in /etc/pki/trust/anchors/MY-CA.crt 49742892
Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt wrote:
# ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates I found, that "update-ca-certificates" remove the manually created link. Not good.
Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Oct 20, 2016 at 1:09 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Bjoern Voigt wrote:
# ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates I found, that "update-ca-certificates" remove the manually created link. Not good.
Oh, joy of relying on undocumented tools using undocumented utilities ... TL;DR - it is not possible :) openSUSE is using p11-kit to manage certificates and p11-kit currently simply does not support CRL (I would love to be proven wrong). There are ideas about providing common revocation cache, but this link has "no source available" as of now. I tried to chain root certificate with CRL but it does not work either - p11-glue trust module does not blindly copy certificate file, but rather extracts certificate and creates new file. OTOH what is the purpose of storing CRL for openssl? If you intend to use this CA for web sites, browsers usually request CRL themselves? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Thu, Oct 20, 2016 at 1:09 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Bjoern Voigt wrote:
# ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates I found, that "update-ca-certificates" remove the manually created link. Not good. Unfortunately also "chattr +i" does not help here to keep the link intact:
# sudo lsattr /var/lib/ca-certificates/openssl/49742892.r0 lsattr: Operation not supported While reading flags on /var/lib/ca-certificates/openssl/49742892.r0 Anyway I see the next error, if I link after "update-ca-certificates": # openssl verify -crl_check_all MY-CA.crt TGM-VPN-CA.crt: CN = My CA error 12 at 0 depth lookup:CRL has expired OK Even this OpenSSL error is mostly undocumented. It may be a problem related to Easyrsa3.
Oh, joy of relying on undocumented tools using undocumented utilities ...
TL;DR - it is not possible :)
openSUSE is using p11-kit to manage certificates and p11-kit currently simply does not support CRL (I would love to be proven wrong). There are ideas about providing common revocation cache, but this link has "no source available" as of now.
I tried to chain root certificate with CRL but it does not work either - p11-glue trust module does not blindly copy certificate file, but rather extracts certificate and creates new file. Oh, one of the most secure OS does not support system-wide CRLs ...
Andrei, is there a known bug report upstream or in openSUSE?
OTOH what is the purpose of storing CRL for openssl? If you intend to use this CA for web sites, browsers usually request CRL themselves? I have an internal CA. The Owncloud client which is a Qt application has no own configuration for root certificates and CRLs AFAIK. Owncloud recognizes the root certificate but would probably accept revokes certificates. There are other client and server application which also would profit from a system-wide certificate setup.
Of course also the distribution which recent updates of CRL files to many clients is an unsolved problem. For some users OSCP may be an option, but an OSCP setup is probably to much for my relatively small network. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Oct 21, 2016 at 12:25 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Andrei Borzenkov wrote:
On Thu, Oct 20, 2016 at 1:09 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Bjoern Voigt wrote:
# ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates I found, that "update-ca-certificates" remove the manually created link. Not good. Unfortunately also "chattr +i" does not help here to keep the link intact:
# sudo lsattr /var/lib/ca-certificates/openssl/49742892.r0 lsattr: Operation not supported While reading flags on /var/lib/ca-certificates/openssl/49742892.r0
Anyway I see the next error, if I link after "update-ca-certificates":
# openssl verify -crl_check_all MY-CA.crt TGM-VPN-CA.crt: CN = My CA error 12 at 0 depth lookup:CRL has expired OK
CRLs have limited validity time. What "openssl crl -noout -text -in /path/to/CRL" says?
Even this OpenSSL error is mostly undocumented. It may be a problem related to Easyrsa3.
Oh, joy of relying on undocumented tools using undocumented utilities ...
TL;DR - it is not possible :)
openSUSE is using p11-kit to manage certificates and p11-kit currently simply does not support CRL (I would love to be proven wrong). There are ideas about providing common revocation cache, but this link has "no source available" as of now.
I tried to chain root certificate with CRL but it does not work either - p11-glue trust module does not blindly copy certificate file, but rather extracts certificate and creates new file. Oh, one of the most secure OS does not support system-wide CRLs ...
System-wide *CLRs* ? 1. There is not as much as system-wide cryptography implementation - OpenSSL (and derivatives), GNU TLS, Mozilla NSS, Java, Mono, ... Each of course is using own default certificate store. Add system vs. user in the mix (I believe FIrefox defaults to local embedded root certificates). So you do not even have system-wide root certificates. update-ca-certificates actually attempts to at least update all those locations from single common source. 2. Any stored CRL file is by definition outdated the moment you stored it. Which is the reason OCSP and other online protocols exist.
Andrei, is there a known bug report upstream or in openSUSE?
Not sure if you can cover it in single bug report in single upstream. Somewhat related https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certifi... But of course, this is valid request. You probably can raise this on factory list, I expect some people there are much more familiar with this than me. update-ca-certificates upstream is here: https://github.com/openSUSE/ca-certificates
OTOH what is the purpose of storing CRL for openssl? If you intend to use this CA for web sites, browsers usually request CRL themselves? I have an internal CA. The Owncloud client which is a Qt application has no own configuration for root certificates and CRLs AFAIK. Owncloud recognizes the root certificate but would probably accept revokes certificates. There are other client and server application which also would profit from a system-wide certificate setup.
Of course also the distribution which recent updates of CRL files to many clients is an unsolved problem. For some users OSCP may be an option, but an OSCP setup is probably to much for my relatively small network.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Fri, Oct 21, 2016 at 12:25 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Andrei Borzenkov wrote:
On Thu, Oct 20, 2016 at 1:09 AM, Bjoern Voigt <bjoernv@arcor.de> wrote:
Bjoern Voigt wrote:
# ln -sv /etc/pki/trust/anchors/MY-CA.crl /var/lib/ca-certificates/openssl/49742892.r0 '/var/lib/ca-certificates/openssl/49742892.r0' -> '/etc/pki/trust/anchors/MY-CA.crl' # update-ca-certificates I found, that "update-ca-certificates" remove the manually created link. Not good. Unfortunately also "chattr +i" does not help here to keep the link intact:
# sudo lsattr /var/lib/ca-certificates/openssl/49742892.r0 lsattr: Operation not supported While reading flags on /var/lib/ca-certificates/openssl/49742892.r0
Anyway I see the next error, if I link after "update-ca-certificates":
# openssl verify -crl_check_all MY-CA.crt TGM-VPN-CA.crt: CN = My CA error 12 at 0 depth lookup:CRL has expired OK
CRLs have limited validity time. What "openssl crl -noout -text -in /path/to/CRL" says? Thanks. My CRL was really outdated. I didn't know, that the CRL must be regenerated even if no certificates were revoked in a time-frame.
From a security perspective it's "interesting", that some authors recommend to generate CRLs in cronjobs. This means, that a cronjob must have access to the CA passphrase:
https://inuits.eu/blog/updating-crl-easy-rsa I found, that is is enough to 1. set EASYRSA_CRL_DAYS to a reasonable number of days in Easyrsa3 2. run "easyrsa gen-crl" 3. distribute the CRL, e.g. to the CRL download URL location served by a webserver or 4. copy the CRL to /var/lib/ca-certificates/openssl/$(openssl crl -noout -hash -in /etc/pki/trust/anchors/MY-CA.crl).r0
Even this OpenSSL error is mostly undocumented. It may be a problem related to Easyrsa3.
Oh, joy of relying on undocumented tools using undocumented utilities ...
TL;DR - it is not possible :)
openSUSE is using p11-kit to manage certificates and p11-kit currently simply does not support CRL (I would love to be proven wrong). There are ideas about providing common revocation cache, but this link has "no source available" as of now.
I tried to chain root certificate with CRL but it does not work either - p11-glue trust module does not blindly copy certificate file, but rather extracts certificate and creates new file. Oh, one of the most secure OS does not support system-wide CRLs ...
System-wide *CLRs* ?
1. There is not as much as system-wide cryptography implementation - OpenSSL (and derivatives), GNU TLS, Mozilla NSS, Java, Mono, ... Each of course is using own default certificate store. Add system vs. user in the mix (I believe FIrefox defaults to local embedded root certificates). So you do not even have system-wide root certificates. update-ca-certificates actually attempts to at least update all those locations from single common source. I know. It's a frustrating situation.
2. Any stored CRL file is by definition outdated the moment you stored it. Which is the reason OCSP and other online protocols exist.
Andrei, is there a known bug report upstream or in openSUSE?
Not sure if you can cover it in single bug report in single upstream. Somewhat related
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certifi...
But of course, this is valid request. You probably can raise this on factory list, I expect some people there are much more familiar with this than me. update-ca-certificates upstream is here: https://github.com/openSUSE/ca-certificates
OTOH what is the purpose of storing CRL for openssl? If you intend to use this CA for web sites, browsers usually request CRL themselves? I have an internal CA. The Owncloud client which is a Qt application has no own configuration for root certificates and CRLs AFAIK. Owncloud recognizes the root certificate but would probably accept revokes certificates. There are other client and server application which also would profit from a system-wide certificate setup.
Of course also the distribution which recent updates of CRL files to many clients is an unsolved problem. For some users OSCP may be an option, but an OSCP setup is probably to much for my relatively small network. I looked at this, but did not found an easy-to-setup OSCP server. Some OSCP servers are easy, but experimental and not production ready like
Thanks. I have to check this later because for unknown reasons I currently can't open Github.com. the OpenSSL built-in OSCP responder. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Andrei Borzenkov
-
Bjoern Voigt