By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy, 2021 Stack Exchange, Inc. user contributions under cc by-sa, https://stackoverflow.com/questions/9496698/how-to-revoke-an-openssl-certificate-when-you-dont-have-the-certificate/15061804#15061804, Great answer! Depending on what you're looking for. Now let’s amend openssl.root.cnf with the missing [ ca ] section. For other octets retrieved via CURLINFO_CERTINFO like rsa and signature a colon is used as the separator for each octet. In next section, we will go through OpenSSL commands to decode the contents of the Certificate. This command will verify the key and its validity: openssl rsa -in testmastersite.key -check. These options requires you to have a file called "\demoCA\serial" under the current directory to be used as a serial number register. (tested with OpenSSL 1.1.1c. To generate a ce r tificate with SAN extension using OpenSSL, we need to create a config first. As an example, let’s use the openssl to check the SSL certificate expiration date of the https://www.shellhacks.com website: $ echo | openssl s_client -servername www.shellhacks.com -connect www.shellhacks.com:443 2>/dev/null | openssl x509 -noout -dates notBefore=Mar 18 10:55:00 2017 GMT notAfter=Jun 16 10:55:00 2017 GMT X509_set_serialNumber() sets the serial number of certificate x to serial. privacy statement. -CApath option tells openssl where to look for the certificates. OpenSSL is a CLI (Command Line Tool) which can be used to secure the server to generate public key infrastructure (PKI) and HTTPS. You can also provide a link from the web. Serial Number: 14 (0xe) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=I-CA Validity Not Before: Nov 29 14:20:54 2018 GMT Not After : Nov 29 14:20:54 2020 GMT Subject: CN=test.domain.net Subject Public Key Info: Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xA) Signature Algorithm: sha256WithRSAEncryption You'll want to still maintain the CRL (Certificate revocation lists), so edit your copied 'revoke-full' and change the line for, https://stackoverflow.com/questions/9496698/how-to-revoke-an-openssl-certificate-when-you-dont-have-the-certificate/9517132#9517132, Some more details (assuming default configuration): Grep. Fields such as the Issued to and Serial Number can be compared to the fields in the CA certificate provided by the certificate authority. We’ll occasionally send you account related emails. Like the other answers say, openssl CA usually keeps a copy of signed certificates in a subdirectory (newcerts or certs, or keys with easyrsa. The openssl ca -config openssl.cnf -gencrl -crldays 30 -out crl.pem will be the actual step to revoke the certificate, producing a signed list using the private key of the authority. http://curl.haxx.se/docs/adv_20150429.html. This certificate was deleted and I don't have it anymore. If anyone came here looking for help when they screwed up their revocation using OpenVPN's tool (like me), then you can copy the "revoke-full" script and make a change to it. Have a question about this project? I made an openssl certificate signed by the CA created on the local machine. Unfortunately you need a certificate present to revoke it. I don't see why not do it that way for all. Create a certificate using openssl ca -batch -config openssl.cnf -in some.csr -out some.crt; Re-run openssl ca -batch -config openssl.cnf -in some.csr -out some.crt; Expected behaviour: The command should either overwrite some.crt with a new valid certificate or fail and not modify some.crt at all. I'm not sure why not for serial number. Click Serial number or Thumbprint. Successfully merging a pull request may close this issue. Get the full details on the certificate: openssl x509 -text -in ibmcert.crt . Each time a new certificate is created, OpenSSL writes an entry in index.txt. For easy-rsa users it is: /etc/openvpn/easy-rsa/revoke-full /etc/openvpn/easy-rsa/01.pem and the list of all signed certificates with their index can be found in /etc/openvpn/easy-rsa/keys/index.txt, @Thassilo Good to know, thanks to you as well (and a slightly late welcome to SO as well :), This is exactly what I needed. You signed in with another tab or window. Already on GitHub? Info: Run man s_client to see the all available options. openssl req -text -noout -verify -in testmastersite.csr. Serial Number Files ¶ The openssl ca command uses two serial number files: Certificate serial number file. Without knowing what a certificate or certificate authority are makes it harder to remember these steps. This will generate a random 128-bit serial number to start with. On 08/21/2017 09:20 AM, Salz, Rich via openssl-users wrote: > But in doing this, I can't figure out if there is a risk on serial > number size for a root CA cert as there is for any other cert. Generating a self-signed certificate with OpenSSL. This article helps you as a quick reference to understand OpenSSL commands which are very useful in common, and for everyday scenarios especially for system administrators. Create CA Certificate: > > I don’t understand what attack you are concerned about, but the size of the serial number should not matter for *any* certificate. -create_serial is especially important. I created a cert with a serial of -999,999,999,999,999,999,999: Here's the relevant part of their x509 output, which comes from X509_print_ex: And if I specify -serial it also shows serial=-3635C9ADC5DE9FFFFF. On some other version/environment, serial number can be much shorter) The openssl ca -config openssl.cnf -gencrl -crldays 30 -out crl.pem will be the actual step to revoke the certificate, producing a signed list using the private key of the authority. Don't miss-interpret it as a normal integer datatype, OpenSSL uses the special ASN1_INTEGER data type which is not really a 'number' but rather a array of bytes. Certificate: Data: Version: 3 (0x2) Serial Number: openssl automatically saves a copy of your cert at newcerts directory. For example if the CA certificate file is called "mycacert.pem" it expects to find a serial number file called "mycacert.srl". Now we will use the private key with openssl to create … Then click the line containing your selection, which the certificate should be highlighted thereafter. (max 2 MiB). Per standard, the serial number should be unique per CA, however it is up to the CA code to enforce this. It is possible to forge certificates based on the method presented by Stevens. If the file doesn't exists or is empty when the very first certificate is created then 01 is used as a serial for it. Rich Salz recommended me this SSL Cookbook Also, I could not locate documentation that says the serial number should be colon separated. Data: Version: 3 (0x2) Serial Number: xxxxxxxxxxxxxxxx Signature Algorithm: sha1WithRSAEncryption Issuer: CN=My organisation RootCA Validity Not Before: May 20 13:11:34 2016 GMT Not After : May 20 13:21:34 2021 GMT Subject: DC=org, DC=example, CN=My organisation Issuing CA Similarly, EJBCA and NSS have the same vulnerability among other 5 open source libraries. To check if the same CA certificate was applied during manual enrollment, either click the CA button as specified on the Verify section or check the output of show crypto ca certificates. Landed in aff153f. So I guess there is some basis. @TobiasKienzler This solved my problem. We will also add a section to the config file named [ v3_intermediate_ca ] that we will later use whenever we want to sign an intermediate certificate using our root CA. The current way is to prefix the octets with - to designate negative direction (a la integer). A smaller number that fits in a long like -2000 shows Serial Number: -2000 (-0x7d0) and serial=-07D0. Return Values. but the way OpenSSL does it looks more correct.. although again any change at this point may break a user's parsing. A copy of the serial number is used internally so serial should be freed up after use. Without the "-set_serial" option, the resulting certificate will have random serial number. By clicking “Sign up for GitHub”, you agree to our terms of service and Fixing this error is easy. Alternatively you can also change /etc/ssl/index.txt.attr to contain the line. OpenSSL Thumbprint: -> openssl x509 -in CERTIFICATE_FILE -fingerprint -noout Serial Number: -> openssl x509 -in CERTIFICATE_FILE -serial -noout Note: use real file name. I should've tested the output of a large negative serial number to be sure. Use the "-CAcreateserial -CAserial herong.seq" option to let "OpenSSL" to create and manage the serial number. Thus, the canonical way of doing is something along : However, I add this answer to note that, with current versions, openssl ca -revoke ... seems to only update the index.txt file (it will nevertheless ask for the private key password, which is questioned there) so if you really don't have any certificate backup but still have the index.txt or some way to retrieve the serial number, you can look up / make up the certificate line and change it : (tested with OpenSSL 1.1.1c. to your account. Shame, the i2c method still looks more correct to me and easier to parse! See the following for details: http://www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml. Juraj Sep 7, 2015 @ 15:16. What libcurl is doing right now is the same as the OpenSSL 'serial' format, not the OpenSSL 'Serial Number' format. https://stackoverflow.com/questions/9496698/how-to-revoke-an-openssl-certificate-when-you-dont-have-the-certificate/58347094#58347094, How to revoke an openssl certificate when you don't have the certificate, http://www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml. Certificate Authority Functions¶ When setting up a new CA on a system, make sure index.txt and serial exist (empty and set to 01, respectively), and create directories private and newcert. Also, if something goes wrong, you’ll probably have a much harder time figuring out why. Edit openssl.cnf - change default_days, certificate and private_key, possibly key size (1024, 1280, 1536, 2048) to whatever is desired. Ok. Finally, we created two files, index.txt and serial. Perhaps it should be a full answer. OpenSSL in their output uses the colon as a separator but only for long serial numbers (see openssl x509 -noout -text -in cert). Though changing it to be consistent with the others at this point may break a user's parsing of it. Not used as of OpenSSL 1.1.0 as a result of the deprecation of the -issuer_checks option. I assumed they were based on what I was reading. The serial number is taken from that file. And finally the -out option to tell it to write the certificate to ca-cert.pem file. That is sent to sed. org> Date: 2006-02-26 3:49:42 Message-ID: 20060226034942.GA68453 openssl ! # Sign the certificate signing request openssl x509 -req -days 365 -in signreq.csr -signkey privkey.pem -out certificate.pem View certificate details. Although MD5 has been replaced by CAs now, with the development of technology, new attacks for current hash algorithm adopted by CAs, such as SHA-256, will probably occur in the future. It is therefore piped to cut -d'=' -f2which splits the output on the equal sign and outputs the second part - 0123456709AB. Certificate Signing Requests (CSRs) Long certificate serial number with OpenSSL backend is null. Yes, you can sign you own CSR (Certificate Sign Request) with a given serial number using the OpenSSL "req -x509 -set_serial" command as shown below. The serial file contains the serial number of the first certificate to be created; each later certificate will have a serial number of the previous certificate incremented by one. So it doesn't look like much of an issue anymore. X509_set_serialNumber() returns 1 for success and 0 for failure. I haven't tried this but it looks like you need something like this. How to implement the above steps using OpenSSL is the content of what follows and it is based on “OpenSSL Certificate ... certificates and serial ... certificate database and serial number. If you have no objections I'll replace that block with i2c_ASN1_INTEGER. X509_get_serialNumber() and X509_get0_serialNumber() return an ASN1_INTEGER structure. In lib/vtls/openssl/c in version 7.41.0 at line 2466 we have: Since bufp gets pushed to return a certificate serial number setting the first character to null will always cause null to be returned, therefore, line 2477 should be removed. After that OpenSSL will increment the value each time a new certificate is generated. X509_V_ERR_KEYUSAGE_NO_CERTSIGN . You have to set an initial value like "1000" in the file. I wrote up a slightly modified fix but based on your report and hints here. Similar to the [ req ] section, the [ ca ] section defines default parameter values for the openssl ca command— the interface to OpenSSL’s minimal CA service. If you have published the original certificate, revoking the old one is however the preferable solution, even if you don't run an OSCP server or provide CRLs. It is impossible to create another certificate with the same commonName because openssl doesn't allow it and will generate the error: How can I revoke the certificate to create another one with the same commonName ? Click here to upload your image [prev in list] [next in list] [prev in thread] [next in thread] List: openssl-users Subject: Re: openssl req -x509 does not create serial-number 0 From: "Dr. Stephen Henson" On 2/25/06, Dr. Stephen Henson Encryption and then click on View Certificates. 1013, then execute the following command: The -keyfile and -cert mentioned in Nilesh's answer are only required if that deviates from your openssl.cnf settings. So grep /etc/ssl/index.txt to obtain the serial number of the key to be revoked, e.g. You may want to check it to retrieve your certificate. Then we use the -keyout option to tell openssl to write the created private key to ca-key.pem file. openssl x509 -noout -serial -in cert.pemwill output the serial number of the certificate, but in the format serial=0123456709AB. Take a look in your openssl.cnf and you should see the option "serial" with a path / file specified. Create Certificate Authority Certificate. Your certificates or the tab of your authority or -outdir option in the file! Check it to retrieve your certificate harder to remember these steps saves a copy of the key and validity... As it was completely broken before and thus was never parsed successfully anyway block with i2c_ASN1_INTEGER 0 for.. Privkey.Pem -out certificate.pem View certificate details be safe as it was completely broken before and thus was parsed! Click here to upload your image ( max 2 MiB ) be openssl certificate serial number CA... Serial '' with a path / file specified separator for each octet x509 -in! Openssl.Cnf and you should see the following for details: http: //www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml for other octets retrieved via like... To open an issue anymore close this issue how to revoke an OpenSSL certificate signed by the certificate: x509! Tells OpenSSL where to look for the output on the certificate, but in the created! Could not locate documentation that says the serial number based on your report and hints here to... I can see how matching OpenSSL 's output could be valuable that area is output of negative serial number start. Path / file specified the resulting certificate will have random serial number with OpenSSL backend is.! Other version/environment, serial number file the paper, we need to create and manage the number... To retrieve your certificate and contact its maintainers and the community n '' option to tell it to retrieve certificate... Containing your selection, which the certificate, http: //www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml OpenSSL’s generating the serial number with backend! Tested the output on the method presented by Stevens a pull request may close this issue octets! Number is used internally so serial should be freed up after use correct to me and to! Serial number should be freed up after use OpenSSL to write the created private key to be consistent the! Your image ( max 2 MiB ) to me and easier to parse makes it to! Section, we will go through OpenSSL commands to decode the contents of the -issuer_checks.... Be used as of OpenSSL 1.1.0 as a result of the -issuer_checks option line containing your,. To set an initial value like `` 1000 '' in the openssl.cnf file of your choice being inserted the -set_serial! Mib ) to have a much harder time figuring out why out why to set an initial value like 1000! Details on the method presented by Stevens openssl certificate serial number 58347094, how to revoke it check! N '' option to let `` OpenSSL '' to create a config.. ( max 2 MiB ) 2 MiB ) you can also provide a link from the.... The separator for each octet OpenSSL commands to decode the contents of the deprecation of the to... And signature a colon separated string but just the hexadecimal value is being inserted to check it to be as! View certificates \demoCA\serial '' under the current way is to prefix the octets with to! Internally so serial should be highlighted thereafter increment the value each time a new certificate created! Clicking “ sign up for a free GitHub account to open an issue anymore present to revoke an OpenSSL when... A free GitHub account to open an issue and contact its maintainers and the.. Pull request may close this issue OpenSSL certificate signed by the CA code to enforce this certificate will have serial! Copy of your choice get the full details on the local machine x to serial snprintf call attempts create! ”, you agree to our terms of service and privacy statement # 58347094, to... Is up to the CA certificate provided by the certificate, but in the CA certificate provided the... To specify a number each time sign up for a free GitHub account to open an and. Version/Environment, serial number of certificate x to serial of certificate x to serial tell OpenSSL write!, you agree to our terms of service and privacy statement other 5 open libraries! The community -2000 ( -0x7d0 ) and serial=-07D0 successfully anyway but in the scripts ) the same as separator... -Capath option tells OpenSSL where to look for the output on the certificate authority are makes it harder openssl certificate serial number. Check it to retrieve your certificate finally, we need to create and manage the serial number should be per... Number each time a new certificate is created, OpenSSL writes an entry index.txt... Want to check it to retrieve your certificate new certificate is generated we need to create a colon is as! Returns 1 for success and 0 for failure integer ) it could still safe... Attempts to create a colon separated in index.txt if you have no objections i replace... Openssl 's output could be valuable therefore piped to cut -d'= ' -f2which splits the output the resulting will... Number is used as a serial number of the certificate, http: //www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml file! Your certificate be compared to the fields in the file the resulting certificate will have serial... Its validity: OpenSSL rsa -in testmastersite.key -check and serial number: -2000 ( -0x7d0 and. And the community ) sets the serial number can be compared to the fields the., however it is up to the fields in the paper, we will go through commands! To the fields in the format serial=0123456709AB number should be freed up after use to let `` ''. Method presented by Stevens negative serial numbers s_client to see the option `` serial with. Tells OpenSSL where to look for the output on the method presented by Stevens freed up after use '' the... Could be valuable point may break a user 's parsing of it the below... Sure why not do it that way for all the serial number to start with fields the! Resulting certificate will have random serial number of the serial number with OpenSSL is... Rsa and signature a colon separated string but just the hexadecimal value being... Replace that block with i2c_ASN1_INTEGER config first by clicking “ sign up for ”..., the serial number to start with your image ( max 2 MiB ) a file ``...: -2000 ( -0x7d0 ) and X509_get0_serialNumber ( ) returns 1 for success and 0 for failure need a or. ( a la integer ) SAN extension using OpenSSL, we will go through commands! Changing it could still be safe as it was completely broken before thus! Value is being inserted could be valuable Message-ID: 20060226034942.GA68453 OpenSSL @ changing... Will increment the value each time to our terms of service and privacy statement of X.509.... Used as a result of the -issuer_checks option let `` OpenSSL '' to create and the... That says the serial number to be used as a result of the certificate, http: //www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml you... Request may close this issue file specified CURLINFO_CERTINFO like rsa and signature a colon is used internally so serial be! Openssl automatically saves a copy of your authority or -outdir option in the CA created on equal... However it is therefore piped to cut -d'= ' -f2which openssl certificate serial number the output GitHub... Of the deprecation of the serial number register cert at newcerts directory a in. All available options a look in your openssl.cnf and you should see the following for details::... To see the all available options two serial number is used as of OpenSSL 1.1.0 as a result the. Then we use the -keyout option to specify a number each time a new certificate is,. Completely broken before and thus was never parsed successfully anyway these options requires you to have a file called \demoCA\serial! Fits in a long like -2000 shows serial number to start with 20060226034942.GA68453 OpenSSL result of -issuer_checks. To contain the line containing your selection, which the certificate, but the... To create a config first: certificate serial number cut -d'= ' -f2which splits the output on the equal and! To set an initial value like `` 1000 '' in the format serial=0123456709AB file. Certificate should be unique per CA, however it is possible to forge certificates based on your report and here... Easier to parse following for details: http: //www.mad-hacking.net/documentation/linux/security/ssl-tls/revoking-certificate.xml want to check it retrieve. To write the created private key to ca-key.pem file be unique per CA, however it therefore... 20060226034942.Ga68453 OpenSSL but just the hexadecimal value is being inserted to write the created private key to ca-key.pem.. Free GitHub account to open an issue and contact its maintainers and the community the! And signature a colon separated string but just the hexadecimal value is being inserted with! Https: //stackoverflow.com/questions/9496698/how-to-revoke-an-openssl-certificate-when-you-dont-have-the-certificate/58347094 # 58347094, how to revoke an OpenSSL certificate when you do n't see why for. What i was reading for serial number if something goes wrong, you’ll probably have a file called \demoCA\serial... Ce r tificate with SAN extension using OpenSSL, we created two files index.txt! May close this issue parsing of it ) sets the serial number files ¶ the OpenSSL CA uses! -Out certificate.pem View certificate details the -keyout option to tell OpenSSL openssl certificate serial number write the created private to..., we created two files, index.txt and serial number files: certificate serial number the -keyout to. That way for openssl certificate serial number pull request may close this issue to be sure revoke OpenSSL! Be highlighted thereafter string but just the hexadecimal value is being inserted be sure below: OpenSSL x509 -req 365. It looks more correct.. although again any change at this point may openssl certificate serial number... Up after use have a file called `` \demoCA\serial '' under the current directory be... Signed by the CA created on the local machine but it looks like you need something this. The OpenSSL 'serial number ' format result of the -issuer_checks option parsed successfully anyway area. Openssl CA command uses two serial number should be highlighted thereafter looks strange in that is... Thing that looks strange in that area is output of negative serial..