Client-Certificate blocking without conrolling the issuing CA

Vincent Truchsess - rockenstein AG vt at rockenstein.de
Fri Dec 4 11:26:40 UTC 2020


Hi,

I am well aware that the usecase I'm going to describe is not how pki is intended to be implemented but unfortunally, the organizational architecture of ths particular application is out of my teach.

We are operating an application that strongly relies on client certificates as the outer authentication layer. Those certificates are issued as 'general purpose' client-certs by a globally trusted root-ca and are being validated on dedicated hardware limiting the level of flexibility in the matters of access control.
The organization legally responsible for the application maintains a blocklist of certificate serials they consider to be invalidated. Also, this organization does not bother to get those certificates revoked by their CA so using OCSP or CRLs against the CAs services has no effect on denying access to invalid users.

The hardware performing the certificate-validation allows for locally stored CRLs. Our intention was to generate those ourselves using a selfsigned CA. As far as I went, it seems that openssl only allows for revocations of certificates signed by the local CA.

Doing this in software (e.g. inside the application) wouldn't be a problem but the amount of parallel connections require this to be handled by dedicated hardware which is limited to CRLs and OCSP.

Is there any way we simply have overlooked that allows us to generate selfsigned CRLs for certificates issued by another CA using openssl?

Thanks you for your time,
Vincent Truchseß.


PS: Implementing a 'scriptable' OCSP-responder would be an option that is planned but will take too long to hotfix the current issue.


More information about the openssl-users mailing list