Wednesday, 17 February 2010

Creating a CRL for an OSX keychain CA

OSX has a handy keychain utility that can be used to create a CA among other things. I needed a CRL generated for my keychain-created CA in order to use certificate-based VPNs on a Netscreen box.


There are probably 101 ways of doing this, mine is:

Make a CA structure as per /opt/local/etc/openssl/openssl.cnf
(or alternately you could provide the suitable CLI options to openssl each time)


mkdir -p demoCA/private
echo 01 > demoCA/serial
echo 01 > demoCA/crlnumber


Locate your CA private key in the keychain utility, right click and export. This saves it as pkcs12 format.

Convert it to PEM format with:
openssl pkcs12 -nocerts -in My_Macbook_CA.p12 -out demoCA/private/cakey.pem


Edit it and delete the text above:
-----BEGIN RSA PRIVATE KEY-----


(this last step probably isn't necessary)

Export the CA certificate from keychain and change the format to PEM.

Then you can generate the CRL with:
openssl ca -gencrl -out crl.pem -cert exported_cert.pem


If you get any errors then check the paths, the default openssl config puts this in ./demoCA

Note that this creates a CRL valid for 30 days only with the default openssl.cnf, you probably want to increase this by editing /opt/local/etc/openssl/openssl.cnf and changing the default_crl_days value.

No comments:

Post a Comment