Certificate Revocation Lists 

Certificate Revocation Lists (CRLs) are used to invalidate certificates in the wild which have been compromised. This covers server-side revocation enforcement. A CRL should include all of the CRL’s up to the Root CA.

Create CRL.

openssl ca -config /root/ca/root/root.ca -gencrl -out /root/ca/root/crl/root.crl.pem
openssl ca -config /root/ca/inter/inter.ca -gencrl -out /root/ca/inter/crl/inter.crl.pem
cat /root/ca/root/crl/root.crl.pem /root/ca/inter/crl/inter.crl.pem > /root/ca/ca-chain.crl.pem

Note

Run these commands to regenerate the CRL’s automatically with a new serial number and expiry date. Expired CRL’s will lead to certificate authentication failures!

Check Current CRL Status.

openssl crl -in /root/ca/root/crl/root.crl.pem -noout -text
openssl crl -in /root/ca/inter/crl/inter.crl.pem -noout -text
openssl crl -in /root/ca/ca-chain.crl.pem -noout -text

Revoking Certificate

This will prevent a compromised certificate (which is still valid) from being used.

Revoke Certificate and Update CRL.

openssl ca -config /root/ca/inter/inter.ca -revoke /root/ca/inter/certs/{TARGET}.cert.pem
openssl ca -config /root/ca/inter/inter.ca -gencrl -out /root/ca/inter/crl/inter.crl.pem
cat /root/ca/root/crl/root.crl.pem /root/ca/inter/crl/inter.crl.pem > /root/ca/ca-chain.crl.pem

The new CRL needs to be deployed to any service using the Intermediate CA.
This can also be applied at the Root CA level to revoke intermediate CA’s.
The combined CRL needs to be re-created as well.

Certificate Revocation Lists

Revoking Certificate

Certificate Revocation Lists 