PKI TechNote CRLS

From Dogtag
Jump to: navigation, search

Differences between NSS and OpenSSL CRLs

NSS Certificate Revocation Lists (CRLs) and OpenSSL CRLs can be stored in the Base-64 encoded format. The only difference is between the accepted header and footer required by OpenSSL versus NSS CRLs.

- The Dogtag tool called PrettyPrintCrl is located in the pki-java-tools package, and reads both formats without the need for any conversion. Additionally, the NSS tool called pp can be used to read either format.

NSS CRLs

The following is an example of an NSS CRL:

   -----BEGIN CERTIFICATE REVOCATION LIST-----
   MIIBmDCBgQIBATANBgkqhkiG9w0BAQUFADA/MR0wGwYDVQQKExRVc2Vyc3lzUmVk
   aGF0IERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5Fw0wODAz
   MjYxOTMzMDJaFw0wODAzMjYyMzMzMDJaoA4wDDAKBgNVHRQEAwIBHDANBgkqhkiG
   9w0BAQUFAAOCAQEAK5w0zCzwtrIQaaTl8oF8TBFd+1ZSFar1Ue30OYd+ksSqzlMg
   finc3qhKQxtem1vOwCgx4FO0/guHazRj/YLtMF4WhSSdM3qnTNKmJIv2aLhJh89C
   oaObh0kXtvVr5QohTQKuEkg3iqyauEBZ1VRhdojAWFRNt43Zd6WIkyYwa8PzKGWb
   HsJ1aLhOBFveoUqEFpKrUb+aDEfPgSIKJJomjH12Qg3NQzRILuqVIcWwrlHr6W+v
   pHuHOdgtOJoT+Qe+fw2OgPtsgk72mgSfTRmVBWmnI48XwdyO9O5xscH1MWxxpW2K
   7OkC/YzU/QKuIfW8c6Rr009fKFDwrixf4wIj0Q==
   -----END CERTIFICATE REVOCATION LIST-----

Store this CRL in a file called crl.txt.

OpenSSL CRLs

The following is an example of an OpenSSL CRL:

   -----BEGIN X509 CRL-----
   MIIBmDCBgQIBATANBgkqhkiG9w0BAQUFADA/MR0wGwYDVQQKExRVc2Vyc3lzUmVk
   aGF0IERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5Fw0wODAz
   MjYxOTMzMDJaFw0wODAzMjYyMzMzMDJaoA4wDDAKBgNVHRQEAwIBHDANBgkqhkiG
   9w0BAQUFAAOCAQEAK5w0zCzwtrIQaaTl8oF8TBFd+1ZSFar1Ue30OYd+ksSqzlMg
   finc3qhKQxtem1vOwCgx4FO0/guHazRj/YLtMF4WhSSdM3qnTNKmJIv2aLhJh89C
   oaObh0kXtvVr5QohTQKuEkg3iqyauEBZ1VRhdojAWFRNt43Zd6WIkyYwa8PzKGWb
   HsJ1aLhOBFveoUqEFpKrUb+aDEfPgSIKJJomjH12Qg3NQzRILuqVIcWwrlHr6W+v
   pHuHOdgtOJoT+Qe+fw2OgPtsgk72mgSfTRmVBWmnI48XwdyO9O5xscH1MWxxpW2K
   7OkC/YzU/QKuIfW8c6Rr009fKFDwrixf4wIj0Q==
   -----END X509 CRL-----

Store this CRL in a file called crl.pem.

Using Dogtag to Read CRLs

Most Dogtag Certificate System installations include the following tool to read an NSS CRL:

   PrettyPrintCrl crl.txt

Alternatively, a user can execute the following to read an OpenSSL CRL:

   PrettyPrintCrl crl.pem

In either case, this tool outputs something similar to the following:

   Certificate Revocation List:
       Data:
           Version:  v2
           Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
           Issuer: CN=Certificate Authority,O=UsersysRedhat Domain
           This Update: Wednesday, March 26, 2008 12:33:02 PM PDT America/Los_Angeles
           Next Update: Wednesday, March 26, 2008 4:33:02 PM PDT America/Los_Angeles
           Revoked Certificates:
       Extensions:
           Identifier: CRL Number - 2.5.29.20
               Critical: no
               Number: 28
       Signature:
           Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
           Signature:
               2B:9C:34:CC:2C:F0:B6:B2:10:69:A4:E5:F2:81:7C:4C:
               11:5D:FB:56:52:15:AA:F5:51:ED:F4:39:87:7E:92:C4:
               AA:CE:53:20:7E:29:DC:DE:A8:4A:43:1B:5E:9B:5B:CE:
               C0:28:31:E0:53:B4:FE:0B:87:6B:34:63:FD:82:ED:30:
               5E:16:85:24:9D:33:7A:A7:4C:D2:A6:24:8B:F6:68:B8:
               49:87:CF:42:A1:A3:9B:87:49:17:B6:F5:6B:E5:0A:21:
               4D:02:AE:12:48:37:8A:AC:9A:B8:40:59:D5:54:61:76:
               88:C0:58:54:4D:B7:8D:D9:77:A5:88:93:26:30:6B:C3:
               F3:28:65:9B:1E:C2:75:68:B8:4E:04:5B:DE:A1:4A:84:
               16:92:AB:51:BF:9A:0C:47:CF:81:22:0A:24:9A:26:8C:
               7D:76:42:0D:CD:43:34:48:2E:EA:95:21:C5:B0:AE:51:
               EB:E9:6F:AF:A4:7B:87:39:D8:2D:38:9A:13:F9:07:BE:
               7F:0D:8E:80:FB:6C:82:4E:F6:9A:04:9F:4D:19:95:05:
               69:A7:23:8F:17:C1:DC:8E:F4:EE:71:B1:C1:F5:31:6C:
               71:A5:6D:8A:EC:E9:02:FD:8C:D4:FD:02:AE:21:F5:BC:
               73:A4:6B:D3:4F:5F:28:50:F0:AE:2C:5F:E3:02:23:D1

Using NSS to Read CRLs

The following NSS command can also be executed to read an NSS CRL:

/usr/<lib>/nss/unsupported-tools/pp -t crl -i crl.txt -a

where <lib> is either lib on 32-bit architectures, or lib64 on 64-bit architectures.

Alternatively, a user can execute the following to read an OpenSSL CRL:

/usr/<lib>/nss/unsupported-tools/pp -t crl -i crl.pem -a

where <lib> is either lib on 32-bit architectures, or lib64 on 64-bit architectures.

In either case, this tool outputs something similar to the following:

   CRL:
       Data:
           Version: 2 (0x1)
           Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
           Issuer: "CN=Certificate Authority,O=UsersysRedhat Domain"
           This Update: Wed Mar 26 19:33:02 2008
           Next Update: Wed Mar 26 23:33:02 2008
           CRL Extensions:
               Name: CRL Number
               Data: 28 (0x1c)
   
       Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
       Signature:
           2b:9c:34:cc:2c:f0:b6:b2:10:69:a4:e5:f2:81:7c:4c:
           11:5d:fb:56:52:15:aa:f5:51:ed:f4:39:87:7e:92:c4:
           aa:ce:53:20:7e:29:dc:de:a8:4a:43:1b:5e:9b:5b:ce:
           c0:28:31:e0:53:b4:fe:0b:87:6b:34:63:fd:82:ed:30:
           5e:16:85:24:9d:33:7a:a7:4c:d2:a6:24:8b:f6:68:b8:
           49:87:cf:42:a1:a3:9b:87:49:17:b6:f5:6b:e5:0a:21:
           4d:02:ae:12:48:37:8a:ac:9a:b8:40:59:d5:54:61:76:
           88:c0:58:54:4d:b7:8d:d9:77:a5:88:93:26:30:6b:c3:
           f3:28:65:9b:1e:c2:75:68:b8:4e:04:5b:de:a1:4a:84:
           16:92:ab:51:bf:9a:0c:47:cf:81:22:0a:24:9a:26:8c:
           7d:76:42:0d:cd:43:34:48:2e:ea:95:21:c5:b0:ae:51:
           eb:e9:6f:af:a4:7b:87:39:d8:2d:38:9a:13:f9:07:be:
           7f:0d:8e:80:fb:6c:82:4e:f6:9a:04:9f:4d:19:95:05:
           69:a7:23:8f:17:c1:dc:8e:f4:ee:71:b1:c1:f5:31:6c:
           71:a5:6d:8a:ec:e9:02:fd:8c:d4:fd:02:ae:21:f5:bc:
           73:a4:6b:d3:4f:5f:28:50:f0:ae:2c:5f:e3:02:23:d1
       Fingerprint (MD5):
           16:76:23:6A:BD:F8:8B:03:52:45:53:2F:FA:B8:1E:21
       Fingerprint (SHA1):
           0C:3D:57:C3:D6:06:87:1A:EA:8B:27:66:40:CD:31:90:F9:A1:AE:AC

Using OpenSSL to Read and Convert CRLs

Similarly, running the following OpenSSL command:

openssl crl -in crl.pem -noout -text

Produces the following:

   Certificate Revocation List (CRL):
           Version 2 (0x1)
           Signature Algorithm: sha1WithRSAEncryption
           Issuer: /O=UsersysRedhat Domain/CN=Certificate Authority
           Last Update: Mar 26 19:33:02 2008 GMT
           Next Update: Mar 26 23:33:02 2008 GMT
           CRL extensions:
               X509v3 CRL Number: 
                   28
   No Revoked Certificates.
       Signature Algorithm: sha1WithRSAEncryption
           2b:9c:34:cc:2c:f0:b6:b2:10:69:a4:e5:f2:81:7c:4c:11:5d:
           fb:56:52:15:aa:f5:51:ed:f4:39:87:7e:92:c4:aa:ce:53:20:
           7e:29:dc:de:a8:4a:43:1b:5e:9b:5b:ce:c0:28:31:e0:53:b4:
           fe:0b:87:6b:34:63:fd:82:ed:30:5e:16:85:24:9d:33:7a:a7:
           4c:d2:a6:24:8b:f6:68:b8:49:87:cf:42:a1:a3:9b:87:49:17:
           b6:f5:6b:e5:0a:21:4d:02:ae:12:48:37:8a:ac:9a:b8:40:59:
           d5:54:61:76:88:c0:58:54:4d:b7:8d:d9:77:a5:88:93:26:30:
           6b:c3:f3:28:65:9b:1e:c2:75:68:b8:4e:04:5b:de:a1:4a:84:
           16:92:ab:51:bf:9a:0c:47:cf:81:22:0a:24:9a:26:8c:7d:76:
           42:0d:cd:43:34:48:2e:ea:95:21:c5:b0:ae:51:eb:e9:6f:af:
           a4:7b:87:39:d8:2d:38:9a:13:f9:07:be:7f:0d:8e:80:fb:6c:
           82:4e:f6:9a:04:9f:4d:19:95:05:69:a7:23:8f:17:c1:dc:8e:
           f4:ee:71:b1:c1:f5:31:6c:71:a5:6d:8a:ec:e9:02:fd:8c:d4:
           fd:02:ae:21:f5:bc:73:a4:6b:d3:4f:5f:28:50:f0:ae:2c:5f:
           e3:02:23:d1

Convert the PEM crl to binary (DER encoded) format:

openssl crl -in crl.pem -out binary.crl -outform DER

Read a binary CRL (will produce same output above):

openssl crl -in binary.crl -inform DER -noout -text

Convert the binary (DER encoded) crl to PEM format:

openssl crl -in binary.crl -inform DER -out crl.pem