Create self signed SSL certificates with crl/ocsp X509 Extensions using openssl

(image source : https://ssl.trustwave.com/support/support-how-ssl-works.php)

In order to test Ocsp/Crl validation we need to send the client request with ssl certificates that have information about CRL and OCSP. For that we can add authorityInfoAccess and crlDistributionPoints extensions to certificates. Here I'm using openssl tool on linux terminal to create required certificates.

what we need to create:

step 1. RSA key to root CA
step 2. Root CA certificate
step 3.  RSA key to subordinate(client)
step 4.  subordinate certificate
and then we can get the subordinate signed by root CA.

step 1
create 4096 long RSA key names ca.key

openssl genrsa -out ca.key 4096

step 2
create root CA using the generated key. Enter following line and provide information for your root CA that may be asked.

openssl req -new -x509 -days 1826 -key ca.key -out ca.crt 

step 3
create RSA key for subordinate

openssl genrsa -out ia.key 4096   

step 4

openssl req -new -key ia.key -out ia.csr

Ok. Now we have to add the required extension before giving Certificate Signing Request. First create a file named my.cnf with the following data.

authorityInfoAccess = OCSP;URI: http://ocsp.digicert.com
crlDistributionPoints=URI:http://crl3.digicert.com/ca3-g17.crl

Now we can execute following command with the extension of above created file.

openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt -extfile my.cnf

we have ia.crt certificate signed by ca.crt .

Next blog post will be about how to test the ocsp/crl verification at the transport listener using CURL.

resources :
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
http://stackoverflow.com/questions/11966123/howto-create-a-certificate-using-openssl-including-a-crl-distribution-point/12023746#12023746

Categories: crl , ocsp , openssl , SSL , wso2