Revoking certs and publishing CRL's

[rtkmhart]

I need to be able to properly revoke certificates (instead of simply deleting them) and publish CRL's in the near future. Has anyone done this already with chef-ssl? If not I may have a go at implementing it.

mike

[chrisa]

I've not looked at this at all, so anything you develop here would be very interesting.

Something that triggered revocation via a chef-ssl action for approval, and then distributed the appropriate CRLs to managed hosts would be great.

[rtkmhart]

Ok, i'll think up a design and run it by you in a few weeks.

cheers

mike

Michael Hart
Arctic Wolf Networks
M: 226.388.4773

On 2013-05-28, at 8:50 AM, Chris Andrews <[email protected]mailto:[email protected]> wrote:

I've not looked at this at all, so anything you develop here would be very interesting.

Something that triggered revocation via a chef-ssl action for approval, and then distributed the appropriate CRLs to managed hosts would be great.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/10#issuecomment-18547980.

[rtkmhart]

I've finally been able to get back to this. After some research I found out that revoking certificates is not trivial, and is not at all supported by the eassl2 gem, nor the openssl gem it wraps. The only way to do it, as far as I can tell, is to resort to the command line, namely:

openssl ca -revoke <filename>

And then to generate the CRL pem file:

openssl ca -gencrl

In both cases the commands require the regular openssl information (index files, config files, etc) and the CA password... making automation of all this rather difficult.

My biggest user of certificates is OpenVPN, and OpenVPN 2.3 has the option to read a directory where each file in the directory is a revoked certificate, and the file name is the serial number. This leads me to the following proposal.

When a certificate is deemed to be revoked:

1. The certificate data bag item is moved from the certificates data bag to the revoked_certificates data bag, adding a "revoked: false" attribute, "revoked_date: " and a "serial_no" attribute populated with the serial number.
2. The OpenVPN recipe can read the serial numbers and do as it needs, outside the scope of this cookbook. Although I may add a library/provider to get the list.
3. At a later time the CA admin will run the chef-ssl gencrl command which does the following:

• Find all certs in the revoked_certificates data bag with "revoked: false" set.
• Run the openssl ca -revoke against the certificate.
• Update the data bag item with "revoked: true"
• Finally run the openssl ca -gencrl command.
• Publish the CRL (TBD, unsure if this can be made generic enough, I need FTP in my case.)

An alternate path:

1. The CA admin runs chef-ssl revoke certname which does all of the above in one fell swoop.

The advantage of splitting it up into two phases:

• Generic deployment scripts can mark a certificate as revoked without needing the CA password. For cloud systems where nodes are created/destroyed regularly this is critical.
• This solves OpenVPN's needs quite nicely.

Code changes then:

• Update chef-ssl to with a "revoke" and "gencrl" command.
• Add a provider to download a CRL file to a defined location.
• Add a library/provider/something to get a list of revoked serial numbers.

I'd really appreciate some feedback!

EDIT: data bag item is not copied but moved.