Dominique Quatravaux

NAME

make-crls.pl - Example code to make RFC3280-compliant CRLv2s with Crypt::OpenSSL::CA

DESCRIPTION

The test private keys and certificates are assumed to be generated already. See make-cert-chain.pl in the same directory to see how to do that.

Issuer coordinates

The issuer DN and key identifiers are taken directly from the CA certificate.

CRL Number

Long ASN1 integers are supported.

REGULAR CRL

First things first.

Global CRL settings

CRL dates are supported using the dual ASN.1 date format in conformance with RFC3280 sections 5.1.2.4 and 5.1.2.5.

RFC3280 section 5.1.2.1 now makes v2 for CRLs mandatory; not coincidentally, this is the default in Crypt::OpenSSL::CA. The authorityKeyIdentifier and crlNumber extensions are also mandatory. authorityKeyIdentifier MUST NOT be critical as per section 4.2.1.1, while crlNumber MUST be as per 5.1.2.1.

Just for fun, we add a freshestCRL extension as per RFC3280 section 5.2.6; the corresponding delta CRL is issued below, see "DELTA CRL".

Revoked Certificates List

In order of appearance: a CRLv1-like unadorned entry, an entry with unspecified revocation reason, an entry for a certificate that was put on hold (that is removed by the delta-CRL, see below), and an entry for a certificate whose key was compromised (with a compromiseTime set). Notice that the CRL entries are in no particular order.

All done

Now we just have to sign the CRL.

DELTA CRL

Because we can.

(Just make sure to update the CRL number as per RFC3280, section 5.2.3)

Revoked Certificates List

We add a revoked certificate to the CRL, and remove the hold instruction from certificate 0x42.

All done

Now we just have to sign the CRL.

TEST DATA