Hello r/linuxadmin,
as the title states I have a few questions concerning certificate revocation lists. Let me start with a little background:
My company decided it needs its own PKI. We have an external consultant who came up with the ideas for its design. He suggested to build a root-ca with a few signing ca which sign our needed certificates. My company does not want to rely to much on external support, so I suggested to try to implement his design myself, having a little background with openssl. After a day I realized my "little" background won't bring me far, so I went for help and found this tutorial which I think will cover our needs.
What I have done so far:
I changed a few of the provided configuration parameters and now have the following:
company-ca-root.crt (the root ca certificate) company-ca-root.cer (the root ca certificate in DER format for publishing) company-ca-root.crl (the root ca crl (I have one in PEM and one in DER format)) company-ca-tls.crt (the signing ca certificate) company-ca-tls.cer (the signing ca certificate in DER format for publishing) company-ca-tls.crl (the signing ca crl (I have one in PEM and one in DER format)) company-ca-tls-chain.pem (the signing ca chain with root ca certificate concatenated) company-server-srvname.crt (a server certificate signed with company-ca-tls.crt for testing purposes) company-server-srvname.p12 (a p12 bundle suggested by the tutorial) company-client-myname.crt (a client certificate signed with company-ca-tls.crt for testing purposes) company-client-myname.p12 (a p12 bundle suggested by the tutorial) Now my questions:
1.) I have configured an internal testing CRL Distribution Point. Inside the certificates they look like this:
X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.220/pki/company-ca-root.crl and
X509v3 CRL Distribution Points: Full Name: URI:http://192.168.40.220/pki/company-ca-tls.crl I have copied the DER format CRLs to this location. Question is: Who or what will check these? Will my firefox, for example, periodically check if one of my server or ca certificates are revoked?
2.) I'm going to deploy that one server certificate onto my testing machine to enable https with apache2. There is a configuration parameter for SSlCARevocationFile which points to a file in the filesystem. Do I have to manually deploy the crl file to this server everytime I regenerate it or is apache able to check the CRL Distribution Points from the certificates given in 1.)?
3.) Which ca certificate (file) do I distribute to my client machines? Only the company-ca-root.crt or every signing-ca certificate needed by that machine/user?
Right now this seems to be all I want to know. I hope you can give me some helpful advise.
[link][1 comment]