 [root@dhcp demoCA]# cat index.txt V 090222031325Z 01 unknown /C=CN/ST=BJ/L=BJ/O=BJNAP/OU=Maintenance/CN=172.17.64.34/emailAddress=test@gmail.com V 090222031701Z 02 unknown /C=CN/ST=BJ/L=BJ/O=BJNAP/OU=Maintenance/CN=172.17.64.39/emailAddress=teset@gmail.com V 090222142006Z 03 unknown /C=CN/ST=BJ/O=BJNAP/OU=Maintenance/CN=172.17.64.39/emailAddress=teset@gmail.com [root@dhcp demoCA]# 现在我们要召回第3个证书, [root@dhcp conf]# ll my.crt -rw-r--r-- 1 root root 3518 Feb 23 22:20 my.crt [root@dhcp conf]# [root@dhcp conf]# openssl ca -revoke my.crt Using configuration from /usr/share/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Revoking Certificate 03. Data Base Updated [root@dhcp conf]# [root@dhcp conf]# ll my.crt -rw-r--r-- 1 root root 3518 Feb 23 22:20 my.crt [root@dhcp conf]# [root@dhcp conf]# openssl x509 -subject -issuer -noout -in my.crt subject= /C=CN/ST=BJ/O=BJNAP/OU=Maintenance/CN=172.17.64.39/emailAddress=teset@gmail.com issuer= /C=CN/ST=GD/L=GZ/O=GZNAP/OU=Maintenance/CN=mail.bob.com/emailAddress=ailms@qq.com [root@dhcp conf]# 能够看到,还能够正常对 my.crt 做操作 [root@dhcp demoCA]# cat index.txt V 090222031325Z 01 unknown /C=CN/ST=BJ/L=BJ/O=BJNAP/OU=Maintenance/CN=172.17.64.34/emailAddress=test@gmail.com V 090222031701Z 02 unknown /C=CN/ST=BJ/L=BJ/O=BJNAP/OU=Maintenance/CN=172.17.64.39/emailAddress=teset@gmail.com R 090222142006Z 080223142437Z 03 unknown /C=CN/ST=BJ/O=BJNAP/OU=Maintenance/CN=172.17.64.39/emailAddress=teset@gmail.com [root@dhcp demoCA]# 能够看到03 证书的第一个字段变成了 R(Revoke), [root@dhcp demoCA]# cat serial 04 [root@dhcp demoCA]# 能够看到 serial 文档变成了 4 ,而不是 3 [root@dhcp demoCA]# cd newcerts/ [root@dhcp newcerts]# ll total 12 -rw-r--r-- 1 root root 3405 Feb 23 11:13 01.pem -rw-r--r-- 1 root root 3406 Feb 23 11:17 02.pem -rw-r--r-- 1 root root 3518 Feb 23 22:20 03.pem [root@dhcp newcerts]# 能够看到 03.pem 文档还没有删除 [root@dhcp conf]# date Sat Feb 23 22:30:29 CST 2008 [root@dhcp conf]# [root@dhcp demoCA]# cd crl [root@dhcp crl]# [root@dhcp crl]# ll total 4 -rw-r--r-- 1 root root 499 Feb 23 11:19 local-crl.pem [root@dhcp crl]# 从 mtime 能够看到 localc-crl.pem 文档并没有更新,看来 -revoke 并不会自动跟新 crl 列表 下面手工再次生成 CRL 列表 : [root@dhcp conf]# openssl ca -gencrl -out demoCA/crl/local-crl.pem Using configuration from /usr/share/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: [root@dhcp conf]# 现在查看 CRL 的内容 [root@dhcp conf]# openssl crl -text -in demoCA/crl/local-crl.pem Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=CN/ST=GD/L=GZ/O=GZNAP/OU=Maintenance/CN=mail.bob.com/emailAddress=ailms@qq.com Last Update: Feb 23 14:29:31 2008 GMT # 注释 :该 CRL 的生成时间 Sat Feb 23 22:29:31 CST 2008 Next Update: Mar 24 14:29:31 2008 GMT # 注释 :一个月后再更新 Revoked Certificates: Serial Number: 03 # 注释 :能够看到序列号 = 03 的证书被召回了 Revocation Date: Feb 23 14:24:37 2008 GMT # 注释 :召回的时间是 :Sat Feb 23 22:24:37 CST 2008 Signature Algorithm: md5WithRSAEncryption 95:41:ac:85:4b:e4:a3:fb:a0:61:8b:70:2a:e2:b8:6b:f1:44: 41:40:30:8d:cf:01:74:ce:c6:9b:99:60:93:ce:aa:71:89:e3: 6e:9a:92:c9:3e:71:54:88:45:66:9a:4f:65:8a:40:fe:26:05: 02:a2:ed:15:f9:d0:a5:51:26:58:87:41:e8:3d:aa:b6:ac:90: 01:34:fe:19:54:40:4c:c3:47:8d:c5:50:03:22:6b:f3:33:b4: a5:d7:7e:c5:4c:3c:9f:e8:14:35:b7:27:b6:20:6d:e8:38:34: 79:dc:69:73:8a:69:d9:e6:20:95:cf:c2:1e:e9:78:e8:5e:7f: 07:c1 -----BEGIN X509 CRL----- MIIBXTCBxzANBgkqhkiG9w0BAQQFADCBgTELMAkGA1UEBhMCQ04xCzAJBgNVBAgT AkdEMQswCQYDVQQHEwJHWjEOMAwGA1UEChMFR1pOQVAxFDASBgNVBAsTC01haW50 ZW5hbmNlMRUwEwYDVQQDEwxtYWlsLmJvYi5jb20xGzAZBgkqhkiG9w0BCQEWDGFp bG1zQHFxLmNvbRcNMDgwMjIzMTQyOTMxWhcNMDgwMzI0MTQyOTMxWjAUMBICAQMX DTA4MDIyMzE0MjQzN1owDQYJKoZIhvcNAQEEBQADgYEAlUGshUvko/ugYYtwKuK4 a/FEQUAwjc8BdM7Gm5lgk86qcYnjbpqSyT5xVIhFZppPZYpA/iYFAqLtFfnQpVEm WIdB6D2qtqyQATT+GVRATMNHjcVQAyJr8zO0pdd+xUw8n+gUNbcntiBt6Dg0edxp c4pp2eYglc/CHul46F5/B8E= -----END X509 CRL----- [root@dhcp conf]# 现在我们需要做的就是把这个 CRL 发布出去,同时删除 my.crt 文档,当然保留也能够,因为证书文档的体积很小 本文来自ChinaUnix博客,假如查看原文请点:http://blog.chinaunix.net/u/12066/showart_491939.html |
喜欢本文,那就收藏到: |
.text:''):(d.getSelection?d.getSelection():'');void(keyit=window.open('http://my.poco.cn/fav/storeIt.php?t='+escape(d.title)+'&u='+escape(d.location.href)+'&c='+escape(t)+'&img=http://www.h-strong.com/blog/logo.gif','keyit','scrollbars=no,width=475,height=575,status=no,resizable=yes'));keyit.focus(); "添加到POCO网摘"){kind=logo}
Rss Feed
