EAP-TLS CRL problem - a PKIX guru around?

Stefan Winter stefan.winter at restena.lu
Tue Mar 10 16:18:06 CET 2015


Hi,

the cert itself doesn't contain anything re CRLs (including no CRLDP as
I just notice).

Keying material snipped, otherwise complete (different serial, but
generated from the same script):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 256 (0x100)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=LU, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA
Staff Authentication CA/emailAddress=admin at restena.lu
        Validity
            Not Before: Mar  7 09:31:43 2013 GMT
            Not After : Mar 11 09:31:43 2016 GMT
        Subject: C=LU, L=Luxembourg, O=Fondation RESTENA, OU=Technical,
CN=almostanonymous at restena.lu/emailAddress=almostanonymous at restena.lu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:60:0a:be:fb:76:d9:8d:7c:c6:c0:a5:d3:95:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.23735.5.4
                  CPS: https://www.restena.lu/ca/restena-staffauth-cps.pdf

    Signature Algorithm: sha512WithRSAEncryption

Maybe it's more a problem with the (intermediate) CA's CRL properties in
its cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 256 (0x100)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=LU, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA
Services CA/emailAddress=admin at restena.lu
        Validity
            Not Before: Feb 20 08:40:33 2013 GMT
            Not After : Feb 18 08:40:33 2023 GMT
        Subject: C=LU, L=Luxembourg, O=Fondation RESTENA, CN=RESTENA
Staff Authentication CA/emailAddress=admin at restena.lu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a4:b3:da:e4:dc:18:5d:ab:d2:67:7f:e7:d1:29:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                4A:16:64:64:0B:AF:01:3D:5F:B4:9E:BB:B0:6D:FE:F2:E9:81:60:4D
            X509v3 Authority Key Identifier:

keyid:5F:F5:DB:E2:ED:B1:5A:8A:60:E2:E8:35:BC:85:2F:D3:14:24:7B:80
                DirName:/C=LU/L=Luxembourg/O=Fondation
RESTENA/CN=RESTENA Services CA/emailAddress=admin at restena.lu
                serial:A7:0A:8C:94:C4:2D:2D:A8

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Alternative Name:
                email:admin at restena.lu
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:https://www.restena.lu/ca/restena-root.crl

            Authority Information Access:
                CA Issuers - URI:http://www.restena.lu

            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.23735.5.1
                  CPS: https://www.restena.lu/ca/restena-root-cps.pdf

    Signature Algorithm: sha512WithRSAEncryption

But here I only see that the cert can sign CRLs, no other constraints.

For amoment I was wondering if it's because the CRL has this extra line:

X509v3 Authority Key Identifier:

keyid:4A:16:64:64:0B:AF:01:3D:5F:B4:9E:BB:B0:6D:FE:F2:E9:81:60:4D
                DirName:/C=LU/L=Luxembourg/O=Fondation
RESTENA/CN=RESTENA Services CA/emailAddress=admin at restena.lu
                serial:01:00

which is the DirName of the *root* CA. But the root CA is the ultimate
authority, so isn't this the correct thing to state? Commerical CA's
CRLs don't seem to include any more than the keyid...

Stefan

On 10.03.2015 15:35, Adam Bishop wrote:
> - gpg control packet
> On 10 Mar 2015, at 13:47, Stefan Winter <stefan.winter at restena.lu> wrote:
> So... the smoking gun line is "error 44 : Different CRL scope".
> 
> I suspect the issue is with the certificate itself - there are a few x509 extensions that mean a CRL is asserted to only have certificates revoked for certain reasons, or be partitioned into multiple CRL's. In short, I think OpenSSL believes the CRL is incomplete.
> 
> What does openssl x509 -noout -text -in <crt> say?
> 
> Regards,
> 
> Adam Bishop
> 
>   gpg: 0x6609D460
> 
> jisc.ac.uk
> 
> 
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
> 
> Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150310/7369f9df/attachment.sig>


More information about the Freeradius-Users mailing list