Certificate Revocation Lists

Certificate Revocation Lists (CRLs) are used to invalidate certificates in the wild which have been compromised. This covers server-side revocation enforcement. A CRL should include all of the CRL’s up to the Root CA.

Create CRL.
openssl ca -config /root/ca/root/root.ca -gencrl -out /root/ca/root/crl/root.crl.pem
openssl ca -config /root/ca/inter/inter.ca -gencrl -out /root/ca/inter/crl/inter.crl.pem
cat /root/ca/root/crl/root.crl.pem /root/ca/inter/crl/inter.crl.pem > /root/ca/ca-chain.crl.pem

Note

Run these commands to regenerate the CRL’s automatically with a new serial number and expiry date. Expired CRL’s will lead to certificate authentication failures!

Check Current CRL Status.
openssl crl -in /root/ca/root/crl/root.crl.pem -noout -text
openssl crl -in /root/ca/inter/crl/inter.crl.pem -noout -text
openssl crl -in /root/ca/ca-chain.crl.pem -noout -text

Revoking Certificate

This will prevent a compromised certificate (which is still valid) from being used.

Revoke Certificate and Update CRL.
openssl ca -config /root/ca/inter/inter.ca -revoke /root/ca/inter/certs/{TARGET}.cert.pem
openssl ca -config /root/ca/inter/inter.ca -gencrl -out /root/ca/inter/crl/inter.crl.pem
cat /root/ca/root/crl/root.crl.pem /root/ca/inter/crl/inter.crl.pem > /root/ca/ca-chain.crl.pem
  • The new CRL needs to be deployed to any service using the Intermediate CA.

  • This can also be applied at the Root CA level to revoke intermediate CA’s.

  • The combined CRL needs to be re-created as well.