Generic question on CRL use

Hi alls,

new on the list, and not tricky question :D

We use client certs authentication at our office, there is a CA chain
like this :

BigCA (self signed)
IntermediateCA (signed by BigCA)
ServerCert (signed by IntermediateCA) used by Apache/modssl
ClientCA (signed by IntermediateCA)
many clients (signed by ClientCA)

- ClientX have 1 year validity
- ClientCA have 4 years validity, but replaced at half life (2 year)
so ClientX signed by old ClientCA version remain valid until
expiration.
- CRL is signed by recent ClientCA

So, at a time, we have 2 ClientCA with different key and different
validity period, but same DN.

The problem is, when verifying client cert work with both ClientCA
stacked; but when using CRL, old clients work only if CRL is signed by
old ClientCA.

1/ is it rfc compliant, and if not, why (reference ?).
2/ if this is rfc compliant, why does openssl does not handle this ?

Thanks for all help you could provide.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Generic question on CRL use

Gilles Cuesta wrote:
> So, at a time, we have 2 ClientCA with different key and different
> validity period, but same DN.

This is bad practice. Try searching for "CA key roll-over".

> The problem is, when verifying client cert work with both ClientCA
> stacked; but when using CRL, old clients work only if CRL is signed by
> old ClientCA.

Well, you asked for trouble...

You could try to add the authorityKeyIdentifier extension to the CRL if
it's also present in the CA certs. This could work with some software.

But my strong recommendation: Fix your 2nd ClientCA cert.

Ciao, Michael.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Generic question on CRL use

2008/6/16 Michael Ströder :
> Gilles Cuesta wrote:
>>
>> So, at a time, we have 2 ClientCA with different key and different
>> validity period, but same DN.
>
> This is bad practice. Try searching for "CA key roll-over".

I found docs about it, but proprietary PKI, and couldn't know if this
feature is implemented ...

>
>> The problem is, when verifying client cert work with both ClientCA
>> stacked; but when using CRL, old clients work only if CRL is signed by
>> old ClientCA.
>
> Well, you asked for trouble...
>
> You could try to add the authorityKeyIdentifier extension to the CRL if i=
t's
> also present in the CA certs. This could work with some software.
>

Here we are :D

apache.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
....
X509v3 Authority Key Identifier:
keyid:B8:85:B4...

apache-caclient.cer
Certificate:
....
Validity
Not Before: Feb 29 12:23:38 2007 GMT
Not After : Feb 29 12:23:58 2011 GMT
....
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
....
X509v3 Subject Key Identifier:
B8:85:B4...
X509v3 Authority Key Identifier:
keyid:56:4D:A9...

apache-caclient-old.cer
Certificate:
....
Validity
Not Before: May 18 14:35:12 2005 GMT
Not After : May 18 14:35:12 2009 GMT
....
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
....
X509v3 Subject Key Identifier:
87:1D:FC...
X509v3 Authority Key Identifier:
keyid:56:4D:A9...

But it doesn't work asis, issuing "signature verification error" in
apache error logs ...

Is there something to be modified in Apache/Modssl conf ?

Thank you
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Generic question on CRL use

Gilles Cuesta wrote:
> 2008/6/16 Michael Ströder :
>> Gilles Cuesta wrote:
>>> So, at a time, we have 2 ClientCA with different key and different
>>> validity period, but same DN.
>> This is bad practice. Try searching for "CA key roll-over".
>=20
> I found docs about it, but proprietary PKI, and couldn't know if this
> feature is implemented ...

It's not a "feature"! Pretty sure there are docs out there describing=20
best practices when conducting a CA key roll-over. One of the best=20
practices is to change the subject DN of the CA entity cert.

>> You could try to add the authorityKeyIdentifier extension to the CRL i=
f it's
>> also present in the CA certs. This could work with some software.
> X509v3 Authority Key Identifier:
> keyid:56:4D:A9...
>=20
> But it doesn't work asis, issuing "signature verification error" in
> apache error logs ...

Glad you learned so soon that it's better to rework your re-newed sub-CA=20
cert. ;-)

Ciao, Michael.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Generic question on CRL use

On June 16, 2008 12:46:56 pm Gilles Cuesta wrote:
> 2008/6/16 Michael Ströder :
> > Gilles Cuesta wrote:
> >> So, at a time, we have 2 ClientCA with different key and different
> >> validity period, but same DN.
> >
> > This is bad practice. Try searching for "CA key roll-over".
>
> I found docs about it, but proprietary PKI, and couldn't know if this
> feature is implemented ...
>
Check the IETF PKIX mailing list. There is a thread there by Santosh Chokha=
ni=20
and Stefan Santesson that goes into this. Short answer is - you can do what=
=20
you want, but it's REALLY tricky, and Michael is right - best practice is t=
o=20
version your CA's. (so the current one is CA1, the next one is CA2, etc.)

> >> The problem is, when verifying client cert work with both ClientCA
> >> stacked; but when using CRL, old clients work only if CRL is signed by
> >> old ClientCA.
> >
> > Well, you asked for trouble...
> >
> > You could try to add the authorityKeyIdentifier extension to the CRL if
> > it's also present in the CA certs. This could work with some software.
>
> Here we are :D
>
Ummm I think you mean that you want to have, in the CRL DP in the client=20
certificate, the crlIssuer field of the CRL DP - problem is that 90% of the=
=20
software out there (Apache included) won't deal with it.

BTW: To handle the case that you are trying to do, there was a patch sent i=
n=20
by Erwann ABALEA from Keynectis to the OpenSSL Users mailing list in=20
January/February this year, IIRC. Perhaps you could try that - you'd have t=
o=20
do some fairly exotic things to mod_ssl, mind you to get it to work :)

I'm with Michael - stop using the same name each time. Version your CAs.

Have fun.

=2D-=20
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org