make-crls.pl - Example code to make RFC3280-compliant CRLv2s with Crypt::OpenSSL::CA
The test private keys and certificates are assumed to be generated already. See make-cert-chain.pl in the same directory to see how to do that.
make-cert-chain.pl
The issuer DN and key identifiers are taken directly from the CA certificate.
Long ASN1 integers are supported.
First things first.
CRL dates are supported using the dual ASN.1 date format in conformance with RFC3280 sections 5.1.2.4 and 5.1.2.5.
RFC3280 section 5.1.2.1 now makes v2 for CRLs mandatory; not coincidentally, this is the default in Crypt::OpenSSL::CA. The authorityKeyIdentifier and crlNumber extensions are also mandatory. authorityKeyIdentifier MUST NOT be critical as per section 4.2.1.1, while crlNumber MUST be as per 5.1.2.1.
authorityKeyIdentifier
crlNumber
Just for fun, we add a freshestCRL extension as per RFC3280 section 5.2.6; the corresponding delta CRL is issued below, see "DELTA CRL".
freshestCRL
In order of appearance: a CRLv1-like unadorned entry, an entry with unspecified revocation reason, an entry for a certificate that was put on hold (that is removed by the delta-CRL, see below), and an entry for a certificate whose key was compromised (with a compromiseTime set). Notice that the CRL entries are in no particular order.
unspecified
Now we just have to sign the CRL.
Just because we can.
We add a revoked certificate to the CRL, and remove the hold instruction from certificate 0x42.
To install Crypt::OpenSSL::CA, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Crypt::OpenSSL::CA
CPAN shell
perl -MCPAN -e shell install Crypt::OpenSSL::CA
For more information on module installation, please visit the detailed CPAN module installation guide.