X509 CRL suspended certificates and openssl ca comand

Question

In CRL X509 format we have "Hold Instruction code" for a list of suspended certificates. I know that "its use is strongly deprecated for the Internet PKI", but in my own private CA, I want to use it.

Openssl has a ca command where I can do all the "ca" stuff direct on my linux cli. It has an option -crl_hold instruction to put "on hold" a certificate, but how can I remove the "on hold" status of this certificate? I haven't found any way to manage the temporary suspension of this certs.

Any help will be very helpful.

score 6 · Accepted Answer · edited May 03 '16 at 13:47

6

From the OpenVPN 2 Cookbook:

The OpenSSL ca command generates its CRL by looking at the index.txt file. Each line that starts with an ' R ' is added to the CRL, after which the CRL is cryptographically signed using the CA private key.

To reinstate your revoked certificate, you could edit your CA database:

database       = $dir/index.txt        # index file.

1. Update the relevant entry in $dir/index.txt, by replacing R=revoked with V=valid.
2. Recreate the crl file: openssl ca -gencrl ***
3. What's left is the automation of the process (A script?)

edited May 03 '16 at 13:47

StackzOfZtuff

17,783
1
50
86

answered May 03 '16 at 11:09

Seb B.

401
2
5

I am using a HSM, do not have access to the DB. I thought that could exist a command in openssl to unsuspend the certificate. But you answer was the best one til now. – Fausto Carvalho Marques Silva May 05 '16 at 13:01

score 3 · Answer 2 · edited May 03 '16 at 13:06

There is no method to "unsuspend" a certificate in openssl on the CLI that I am aware of. And the following quote may give you a bit more guidance:

Martin Abalea, OpenSSL mailing list, 2008-10-13, Re: Put certificate on hold:

Reading the X.509 recommendation (downloadable for free from the ITU-T web site) tells us that a certificate can be "un-holded" by 2 means:
- either really revoke it, by changing the reason code while keeping the date
- or completely remove it from the CRL, as you guessed.

Again, I am not aware of any CLI commands for OpenSSL so your options may be:

issue a new cert or
restore a copy of the CA DB prior to the revocation and issue a new CRL.

If you have other revoked certs, you want to make sure you jot them down if you restore your DB. Otherwise, you stated this is your private CA, I don't see why generating a new CERT is an issue.

There is yet a "long shot" method you may be able to using Microsoft (don't know how to do something similar in OpenSSL).
If you can import your cert into the MS CA, MS has an easy "right click" to unrevoke. See the following documentation on how to do this. Here is the CLI from that page:

To unrevoke a certificate revoked with the reason code "Certificate Hold," at a command prompt on the CA, type:
```
certutil -revoke CertificateSerialNumber unrevoke
```

score 2 · Answer 3 · answered May 03 '16 at 10:00

Reading the X.509 recommendation tells us that a certificate can be "un-holded" by 2 means:

either really revoke it, by changing the reason code while keeping the date
or completely remove it from the CRL. If you plan to issue deltaCRLs, you MUST use the "removeFromCRL" reason code for such certificates, only for the deltaCRLs.

X509 CRL suspended certificates and openssl ca comand

3 Answers3