Generic question on CRL use - modssl

This is a discussion on Generic question on CRL use - modssl ; Hi alls, new on the list, and not tricky question We use client certs authentication at our office, there is a CA chain like this : BigCA (self signed) IntermediateCA (signed by BigCA) ServerCert (signed by IntermediateCA) used by Apache/modssl ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Generic question on CRL use

  1. Generic question on CRL use

    Hi alls,

    new on the list, and not tricky question

    We use client certs authentication at our office, there is a CA chain
    like this :

    BigCA (self signed)
    IntermediateCA (signed by BigCA)
    ServerCert (signed by IntermediateCA) used by Apache/modssl
    ClientCA (signed by IntermediateCA)
    many clients (signed by ClientCA)

    - ClientX have 1 year validity
    - ClientCA have 4 years validity, but replaced at half life (2 year)
    so ClientX signed by old ClientCA version remain valid until
    expiration.
    - CRL is signed by recent ClientCA

    So, at a time, we have 2 ClientCA with different key and different
    validity period, but same DN.

    The problem is, when verifying client cert work with both ClientCA
    stacked; but when using CRL, old clients work only if CRL is signed by
    old ClientCA.

    1/ is it rfc compliant, and if not, why (reference ?).
    2/ if this is rfc compliant, why does openssl does not handle this ?

    Thanks for all help you could provide.
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  2. Re: Generic question on CRL use

    Gilles Cuesta wrote:
    > So, at a time, we have 2 ClientCA with different key and different
    > validity period, but same DN.


    This is bad practice. Try searching for "CA key roll-over".

    > The problem is, when verifying client cert work with both ClientCA
    > stacked; but when using CRL, old clients work only if CRL is signed by
    > old ClientCA.


    Well, you asked for trouble...

    You could try to add the authorityKeyIdentifier extension to the CRL if
    it's also present in the CA certs. This could work with some software.

    But my strong recommendation: Fix your 2nd ClientCA cert.

    Ciao, Michael.
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  3. Re: Generic question on CRL use

    2008/6/16 Michael Ströder :
    > Gilles Cuesta wrote:
    >>
    >> So, at a time, we have 2 ClientCA with different key and different
    >> validity period, but same DN.

    >
    > This is bad practice. Try searching for "CA key roll-over".


    I found docs about it, but proprietary PKI, and couldn't know if this
    feature is implemented ...

    >
    >> The problem is, when verifying client cert work with both ClientCA
    >> stacked; but when using CRL, old clients work only if CRL is signed by
    >> old ClientCA.

    >
    > Well, you asked for trouble...
    >
    > You could try to add the authorityKeyIdentifier extension to the CRL if it's
    > also present in the CA certs. This could work with some software.
    >


    Here we are

    apache.crl
    Certificate Revocation List (CRL):
    Version 2 (0x1)
    ....
    X509v3 Authority Key Identifier:
    keyid:B8:85:B4...

    apache-caclient.cer
    Certificate:
    ....
    Validity
    Not Before: Feb 29 12:23:38 2007 GMT
    Not After : Feb 29 12:23:58 2011 GMT
    ....
    X509v3 Key Usage: critical
    Certificate Sign, CRL Sign
    ....
    X509v3 Subject Key Identifier:
    B8:85:B4...
    X509v3 Authority Key Identifier:
    keyid:56:4D:A9...

    apache-caclient-old.cer
    Certificate:
    ....
    Validity
    Not Before: May 18 14:35:12 2005 GMT
    Not After : May 18 14:35:12 2009 GMT
    ....
    X509v3 extensions:
    X509v3 Key Usage: critical
    Certificate Sign, CRL Sign
    ....
    X509v3 Subject Key Identifier:
    87:1D:FC...
    X509v3 Authority Key Identifier:
    keyid:56:4D:A9...

    But it doesn't work asis, issuing "signature verification error" in
    apache error logs ...

    Is there something to be modified in Apache/Modssl conf ?

    Thank you
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  4. Re: Generic question on CRL use

    Gilles Cuesta wrote:
    > 2008/6/16 Michael Ströder :
    >> Gilles Cuesta wrote:
    >>> So, at a time, we have 2 ClientCA with different key and different
    >>> validity period, but same DN.

    >> This is bad practice. Try searching for "CA key roll-over".

    >
    > I found docs about it, but proprietary PKI, and couldn't know if this
    > feature is implemented ...


    It's not a "feature"! Pretty sure there are docs out there describing
    best practices when conducting a CA key roll-over. One of the best
    practices is to change the subject DN of the CA entity cert.

    >> You could try to add the authorityKeyIdentifier extension to the CRL if it's
    >> also present in the CA certs. This could work with some software.

    > X509v3 Authority Key Identifier:
    > keyid:56:4D:A9...
    >
    > But it doesn't work asis, issuing "signature verification error" in
    > apache error logs ...


    Glad you learned so soon that it's better to rework your re-newed sub-CA
    cert. ;-)

    Ciao, Michael.
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  5. Re: Generic question on CRL use

    On June 16, 2008 12:46:56 pm Gilles Cuesta wrote:
    > 2008/6/16 Michael Ströder :
    > > Gilles Cuesta wrote:
    > >> So, at a time, we have 2 ClientCA with different key and different
    > >> validity period, but same DN.

    > >
    > > This is bad practice. Try searching for "CA key roll-over".

    >
    > I found docs about it, but proprietary PKI, and couldn't know if this
    > feature is implemented ...
    >

    Check the IETF PKIX mailing list. There is a thread there by Santosh Chokhani
    and Stefan Santesson that goes into this. Short answer is - you can do what
    you want, but it's REALLY tricky, and Michael is right - best practice is to
    version your CA's. (so the current one is CA1, the next one is CA2, etc.)

    > >> The problem is, when verifying client cert work with both ClientCA
    > >> stacked; but when using CRL, old clients work only if CRL is signed by
    > >> old ClientCA.

    > >
    > > Well, you asked for trouble...
    > >
    > > You could try to add the authorityKeyIdentifier extension to the CRL if
    > > it's also present in the CA certs. This could work with some software.

    >
    > Here we are
    >

    Ummm I think you mean that you want to have, in the CRL DP in the client
    certificate, the crlIssuer field of the CRL DP - problem is that 90% of the
    software out there (Apache included) won't deal with it.

    BTW: To handle the case that you are trying to do, there was a patch sent in
    by Erwann ABALEA from Keynectis to the OpenSSL Users mailing list in
    January/February this year, IIRC. Perhaps you could try that - you'd have to
    do some fairly exotic things to mod_ssl, mind you to get it to work

    I'm with Michael - stop using the same name each time. Version your CAs.

    Have fun.

    --
    Patrick Patterson
    President and Chief PKI Architect,
    Carillon Information Security Inc.
    http://www.carillon.ca
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


+ Reply to Thread