crlv2.t - Make an RFC3280-compliant CRLv2
This test walks the reader through using Crypt::OpenSSL::CA to issue a standards-compliant CRLv2.
Provided by Crypt::OpenSSL::CA::Test. See make-x509-cert.t for details.
make-x509-cert.t
The issuer DN and key identifiers are taken directly from the CA certificate.
CRL dates are supported using the dual ASN.1 date format in conformance with RFC3280 sections 5.1.2.4 and 5.1.2.5.
RFC3280 section 5.1.2.1 now makes v2 for CRLs mandatory; not coincidentally, this is the default in Crypt::OpenSSL::CA. The authorityKeyIdentifier and crlNumber extensions are also mandatory. authorityKeyIdentifier MUST NOT be critical as per section 4.2.1.1, while crlNumber MUST be as per 5.1.2.1.
authorityKeyIdentifier
crlNumber
Just for fun, we add a freshestCRL extension as per RFC3280 section 5.2.6; the corresponding delta CRL is issued by delta-crl.t
freshestCRL
delta-crl.t
In order of appearance: a CRLv1-like unadorned entry, an entry with unspecified revocation reason, an entry for a certificate that was put on hold (that is removed by the delta-CRL, see delta-crl.t), and an entry for a certificate whose key was compromised (with a compromiseTime set). Notice that the CRL entries are in no particular order.
unspecified
Now we just have to sign the CRL.
In order for this test to succeed, the various decorations we set up for the CRL must show up in openssl crl or dumpasn1.
openssl crl
dumpasn1
To install Crypt::OpenSSL::CA, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Crypt::OpenSSL::CA
CPAN shell
perl -MCPAN -e shell install Crypt::OpenSSL::CA
For more information on module installation, please visit the detailed CPAN module installation guide.