1

I'd like to create a certificate with CRL discribution point, which contains multiple URLs (poiting to the same CRL, according to RFC 5280):

When OpenSSL parses such certificate, it shows something like this:

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://addr1
                  URI:http://addr2
                  ...

How to create such certificate by myself, preferrably using openssl?

Laney
  • 113
  • 4

1 Answers1

1

To define a SEQUENCE of GeneralNames you need to define the crlDistributionPoints in your OpenSSL configuration using the full format:

crlDistributionPoints = cdp1

...

[cdp1]
fullname = URI:http://example.com/myca.crl,URI:http://example.org/my.crl

Which shows up as:

        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://example.com/myca.crl
              URI:http://example.org/my.crl

A full example would start by creating a config file (e.g. example.cnf):

[req]
prompt = no
distinguished_name = dn

[dn]
countryName = gb
organizationName = Example
commonName = Example Web Server

[ext]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
crlDistributionPoints = cdp1
subjectAltName = @alt_names

[cdp1]
fullname = URI:http://example.com/myca.crl, URI:http://example.org/my.crl

[alt_names]
DNS.1 = www.example.com
DNS.2 = www.example.org

Use the config to generate a Certificate Signing Request (CSR):

 openssl req -newkey rsa:2048 -keyout example.key  -nodes -config example.cnf -out example.csr

Note that the above creates a 2048-bit RSA key with no password protection. Remove the -nodes if you need to password protect the private key.

Have a CA sign the CSR generated above.

garethTheRed
  • 4,539
  • 14
  • 22
  • that's exactly why I'm asking. I read this manpage, but it shows how to create multiple full names. I need one full name with multiple URLs, as shown in my example – Laney Aug 05 '21 at 06:06
  • thanks, it works now! – Laney Aug 05 '21 at 16:11