NAME
make-crls.pl - Example code to make RFC3280-compliant CRLv2s with Crypt::OpenSSL::CA
DESCRIPTION
The test private keys and certificates are assumed to be generated already. See make-cert-chain.pl
in the same directory to see how to do that.
Issuer coordinates
The issuer DN and key identifiers are taken directly from the CA certificate.
CRL Number
Long ASN1 integers are supported.
REGULAR CRL
First things first.
Global CRL settings
CRL dates are supported using the dual ASN.1 date format in conformance with RFC3280 sections 5.1.2.4 and 5.1.2.5.
RFC3280 section 5.1.2.1 now makes v2 for CRLs mandatory; not coincidentally, this is the default in Crypt::OpenSSL::CA. The authorityKeyIdentifier
and crlNumber
extensions are also mandatory. authorityKeyIdentifier
MUST NOT be critical as per section 4.2.1.1, while crlNumber
MUST be as per 5.1.2.1.
Just for fun, we add a freshestCRL
extension as per RFC3280 section 5.2.6; the corresponding delta CRL is issued below, see "DELTA CRL".
Revoked Certificates List
In order of appearance: a CRLv1-like unadorned entry, an entry with unspecified
revocation reason, an entry for a certificate that was put on hold (that is removed by the delta-CRL, see below), and an entry for a certificate whose key was compromised (with a compromiseTime set). Notice that the CRL entries are in no particular order.
All done
Now we just have to sign the CRL.
DELTA CRL
Because we can.
(Just make sure to update the CRL number as per RFC3280, section 5.2.3)
Revoked Certificates List
We add a revoked certificate to the CRL, and remove the hold instruction from certificate 0x42.
All done
Now we just have to sign the CRL.