cfssl icon indicating copy to clipboard operation
cfssl copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

CRL Generation: Adding AKI parameter to command

Open jcoeltjen opened this issue 3 years ago • 1 comments

Background

I use cfssl mainly as a command line tool to manage a small PKI with mostly long running certificates. One Root CA and multiple Signing CAs are used to generate the client and server certificates that I need.

This all works fine!

Certificates are usually created with a command similar to this:

cfssl gencert -ca {pathToCa} \
    -ca-key {pathToCaKey} \
    -config {pathToConfig} \
    -db-config {pathToDbConfig} \
     {pathToCsrJson} | cfssljson -bare {outputName}

As a result all certificates (including CAs and Leaf Certificates) are all stored in one database.

Revoking a certificate is done by:

cfssl revoke \
    -db-config {pathToDbConfig} \
    -serial {serial} \
    -aki {aki} \
    -reason {reason}

And this revokes the certificate in the database as it should do without any problems whatsoever.

Problem

As I have multiple CAs I would also like to create multiple independent CRLs.

CA CRL
Root CA root.crl
Signing CA 1 signing-1.crl

Currently the CRLs are created with this command:

cfssl crl \
    -db-config {pathToDbConfig} \
    -ca  {pathToCa} \
    -ca-key {pathToCaKey} \
    -expiry={expiry} \
    -loglevel=1 \
    | base64 -d > {outputFile}

Which creates a DER CRL signed by the CA itself. This is fine as long as you want to create a CRL for only one CA and you only have exactly one CA inside your database.

If you manage multiple signing intermediates in one database this command would also include revoked certificates signed by other CAs then the one provided in the CLI call in the CRL output.

Proposition

The crl command reads all certificates from the internal database to create the CRL. If this list of certificates is filtered to only the ones signed by the provided CA the resulting CRL would never contain any revoked certificates from a different trust chain.

Variant 1

Add new -aki parameter to cfssl crl signature to only select certificates with this AKI for the CRL generation.

Variant 2

Extract the AKI from the given CA and use this as filtering input. Warning: This would change the default behavior of the crl command. I would only do this by added an additional flag to control this behavior.

Would you be open for such a change? If so I would try to implement this and create a PR for this.

jcoeltjen avatar Jun 08 '21 08:06 jcoeltjen

https://www.rfc-editor.org/rfc/rfc3280#section-5.1.2:

The profile requires conforming CRL issuers to use the
CRL number and authority key identifier CRL extensions in all CRLs
issued.

If you manage multiple signing intermediates in one database [...]

You could create one database (resp. one database configuration file) per CA: this would not only solve your issue but also increase isolation.

samy-mahmoudi avatar Jan 09 '23 17:01 samy-mahmoudi