How to change the expiration of CRLs with OpenSSL

certificate-authoritycrlopensslssl-certificate

I am currently experimenting with my self signed CA.

But in order for my devices to work I need a valid CRL.

I set the CDP to one of the CDN hosting providers.
As I have only 5 certificates issued I have little chance of getting one of them revoked, so I would like to issue a long validity CRL and update it as I need it.

How can I do that with OpenSSL and how is the default expiration calculated?

I see that the crlnumber file increases and certutil displays something like

Base CRL(1014) time:11

Best Answer

The default is 30 days.

To change the nextUpdate field, you may use the -crldays option of the openssl ca command like this :

openssl ca -gencrl -crldays 120 -config /path/to/openssl.conf -keyfile /path/to/private/key.file -passin pass:plaintextpassword -out /path/to/crl.pem

If you don't want to specify this every time the CRL is generated, you can change this in openssl.cnf via "default_crl_days= 30" (this is the default setting) and then change it to whatever you want.

Related Solutions

Apache – Client Certificate Authentication Guide

sometimes u need to add a SSLCertificateChainFile option in your apache2.conf.

For example, we use SureServer for our SSL certificates. Sometimes browsers to not contain the full tree for the SSL certificate andu need to supply the missing piece:

SSLEngine On
SSLCertificateFile ...
SSLCertificateKeyFile ...
SSLCertificateChainFile /etc/apache2/sureserverEDU.pem

So u probably need to add your 3rd party CA there.

If I recall correctly rapidSSL has a chain file (RapidSSL_CA_bundle.pem)

Self Signed Root Certificate with SAN in child

It's best to have three different openssl.cnf files on your system. You cannot use a single file for all the operations. And yes, the syntax is a nightmare.

The default one should be restored and kept intact, so the default behavior is not broken in future.
Copy it to your own openssl-test-ca.cnf and modify it accordingly to your needs.
Copy it to your own openssl-san.cnf and modify it accordingly to your needs.

Now, for every operation which involves your own root (or req for it) use:

openssl command -config /.../openssl-test-ca.cnf  more options

For every operation which involves your SAN client cert (or req for it) use the openssl-san.cnf. And correct the subjectAltName = @alternative_names to appear in [v3_req] and [usr_cert] in the openssl-san.cnf file.

Best Answer

Related Solutions

Apache – Client Certificate Authentication Guide

Self Signed Root Certificate with SAN in child

Related Topic