There are probably 101 ways of doing this, mine is:
Make a CA structure as per /opt/local/etc/openssl/openssl.cnf
(or alternately you could provide the suitable CLI options to openssl each time)
mkdir -p demoCA/private
echo 01 > demoCA/serial
echo 01 > demoCA/crlnumber
Locate your CA private key in the keychain utility, right click and export. This saves it as pkcs12 format.
Convert it to PEM format with:
openssl pkcs12 -nocerts -in My_Macbook_CA.p12 -out demoCA/private/cakey.pem
Edit it and delete the text above:
-----BEGIN RSA PRIVATE KEY-----
(this last step probably isn't necessary)
Export the CA certificate from keychain and change the format to PEM.
Then you can generate the CRL with:
openssl ca -gencrl -out crl.pem -cert exported_cert.pem
If you get any errors then check the paths, the default openssl config puts this in ./demoCA
Note that this creates a CRL valid for 30 days only with the default openssl.cnf, you probably want to increase this by editing /opt/local/etc/openssl/openssl.cnf and changing the default_crl_days value.
Posts
