Client-Certificate blocking without conrolling the issuing CA

[Michael Wojcik]

> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Vincent
> Truchsess - rockenstein AG
> Sent: Friday, 4 December, 2020 04:27
>
> The organization legally responsible for the application maintains a
> blocklist of certificate serials they consider to be invalidated. Also, this
> organization does not bother to get those certificates revoked by their CA so
> using OCSP or CRLs against the CAs services has no effect on denying access
> to invalid users.
>
> The hardware performing the certificate-validation allows for locally stored
> CRLs. Our intention was to generate those ourselves using a selfsigned CA. As
> far as I went, it seems that openssl only allows for revocations of
> certificates signed by the local CA.

I assume you mean "certificates signed by the issuing CA". The CRL has to be generated by the CA that issued the certificates.

It seems to me that the simplest solution would be to have the application add a certificate validation callback that checks the serial number against this not-really-a-CRL list of forbidden client certificates. That's the sort of thing certificate validation callbacks are for: implementing additional restrictions (or removing existing ones) on which certificates will be accepted.

--
Michael Wojcik