Posted on by phomlish

homlishCA

HomlishCA

see https://blog.homlish.net/technology/?p=714&preview=true for revocations

defines CRL Endpoints:
Distribution Point http://www.homlish.net/ssl/homlishCA.crl

Owner & permissions
for the directory a0:/usr3/homlishCA, let’s define an owner

root@a0:~# ls -l /usr3/web/homlish.net/ssl/homlishCA.crl
-rw-r–r– 1 phomlish httpd 2281 Jul 2 06:07 /usr3/web/homlish.net/ssl/homlishCA.crl

openssl crl -in /usr3/web/homlish.net/ssl/homlishCA.crl.pem -text

for the anatomy of the index.txt file:
https://pki-tutorial.readthedocs.io/en/latest/cadb.html

Certificate status flag (V=valid, R=revoked, E=expired).
Certificate expiration date in YYMMDDHHMMSSZ format.
Certificate revocation date in YYMMDDHHMMSSZ[,reason] format. Empty if not revoked.
Certificate serial number in hex.
Certificate filename or literal string ‘unknown’.
Certificate distinguished name.

See below for common commands & java keypass stuff

to convert a pem to a one liner:
awk ‘NF {sub(/\r/, “”); printf “%s\\n”,$0;}’ cert-name.pem

openssl genrsa -out paul.key 2048
openssl req -new -key paul.key -out paul.csr -config /usr3/homlishCA/openssl.cnf
openssl x509 -req -days 3650 -in paul.csr -signkey paul.key -out paul.crt
openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in paul.crt -inkey paul.key -out paul.pfx -name “paul”

so that worked and it imported to firefox, but golang is still not requesting the cert
except let’s not use openssl ca

let’s try to create a cert by reverse engineering my original code that used to work

@req_names = (‘commonName’, ’emailAddress’, ‘organizationName’,
‘organizationalUnitName’, ‘localityName’, ‘stateOrProvinceName’,
‘countryName’, ‘SPKAC’);
request-client-cert.cgi
$req_file = “$catop/requests/$serial.req”;
export CATOP=/usr3/homlishCA
export SER=02020020

openssl ca -config $CATOP/openssl.cnf -extensions client_extensions -extensions client_x509_extensions \
-policy policy_anything $serial.req -out $serial.der -outdir .

let’s try to replace spkac with our key paul.key

openssl genrsa -out paul.key 2048
openssl req -new -key paul.key -out paul.csr -config $CATOP/openssl.cnf

to view a certificate:
openssl x509 -in acs.cdroutertest.com.pem -text

CRLs certificate revoke list

openssl crl -in /usr3/web/homlish.net/ssl/homlishCA.pem -text

Leave a Reply

Your email address will not be published. Required fields are marked *