How to insert entries into a Certificate Revocation List

Question

I have an existing CRL that I would like to use with my apache instance via the SSLCARevocationPath directive. In order to test it and ensure it's working, I want to add an entry in the CRL for my own PIV cert information. This entry would look like this:

Serial Number: E2C72718B5E0EXXXXXXXXXXXXXXXXXXXXXXXX
        Revocation Date: Nov 28 13:37:30 2018 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
                Affiliation Changed

The CRL file I have is essentially a list of entries like this. However I can't seem to find a way to just insert my entry into the file using something like openssl, and the file can't be edited directly in Notepad++. Is there a way to do this without needing to generate a new CRL?

Answer 1

CRLs, like certs, are signed to prevent forgery or tampering, so you can't 'edit' it, you must generate a new one -- but see below.

OpenSSL commandline can only generate a CRL using entries in the 'database' of its own cheap-and-cheerful DIY CA function, i.e. a text file usually named index.txt. Since the cert you want (and any others in the CRL) wasn't in fact issued by your OpenSSL DIY CA, to use this you must 'reconstruct' the index.txt that would have been created had you done so. For one cert and assuming 1.0.2 up and suitable settings in your config file, you can use openssl ca -valid $certfile. For a more complicated solution to a case with hundreds of 'missing' certs, see https://unix.stackexchange.com/questions/320038/easy-rsa-index-txt-serial-and-duplicates (disclosure: partly mine)

Alternatively you could write some code to call OpenSSL library to build a X509_CRL object with the data you want, and sign it. That would even be on-topic for SO!

However, for a CRL to be valid it must be signed by the same CA that issued the cert(s) being revoked, or by a special-purpose subordinate cert itself signed by that CA. I assume your PIV cert was issued by some Fed-PKI CA, and you aren't in possession of that CA's privatekey. (If you are it's a fairly major security breach, although not on the level of Snowden or OMB -- maybe about Manning. Or in the private sector Ashley Madison.) Given you can alter Apache's trust store, you could create your own DIY CA using the same name as the real CA, and then have Apache trust that fake root -- but then it will chain the (real) certs issued by the real CA to the fake root and they won't verify.

So in short you should create your own test data. Create a DIY CA, issue yourself a cert (or several -- you can charge yourself fees as high as you like and on net it doesn't cost you anything!), flag the cert(s) or some of them revoked and generate a CRL, and test with those.