|- general OpenSSL configuration|
|- engine configuration|
|- new OIDs|
|- CA configuration|
|- CRL extension configuration|
|- certificate extension configuration|
|- CRL distribution points|
|- subject alternative names|
- new - set_engine - set_profile - set_cert_list This method prepares the OpenSSL-specific representation of the certificate database (index.txt). The method expects an arrayref containing a list of all certificates to revoke.
A single entry in this array may be one of the following:
o a single certificate (see below on how to specify a certificate) o an arrayref of the format [ certificate, revocation_timestamp, reason_code, invalidity_timestamp ]
With the exception of the certificate all additional parameters are optional and can be left out.
If a revocation_timestamp is specified, it is used as the revocation timestamp in the generated CRL. The timestamp is specified in seconds since epoch.
The reason code is accepted literally. It should be one of
The reason codes
removeFromCRL. are currently not handled correctly and should be avoided. However, they will currently simply be passed in the CRL which may not have the desired result.
If the reason code is incorrect, a warning is logged and the reason code is set to unspecified in order to make sure the certificate gets revoked at all.
If a invalidity_timestamp is specified, it is used as the invalidity timestamp in the generated CRL. The timestamp is specified in seconds since epoch.
A certificate can be specified as
o a PEM encoded X.509v3 certificate (scalar) o a reference to an OpenXPKI::Crypto::Backend::OpenSSL::X509 object o a string containing the serial number of the certificate to revoke
Depending on the way the certificate to revoke was specified the method has to perform several actions to deduce the correct information for CRL issuance. If a PEM encoded certificate is passed, the method is forced to parse to parse the certificate before it can build the revocation data list. This operation introduces a huge overhead which may influence system behaviour if many certificates are to be revoked. The lowest possible overhead is introduced by the literal specification of the serial number to put on the revocation list.
NOTE: No attempt to verify the validity of the specified serial numbers is done, in particular in the raw serial number case there is even no check if such a serial number exists at all.
- dump - get_config_filename
my $profile = OpenXPKI::Crypto::Backend::OpenSSL::Config->new (
TMP => /tmp,
}); $profile->set_engine($engine); $profile->set_profile($crl_profile); $profile->dump(); my $conf = $profile->get_config_filename(); ... execute an OpenSSL command with -config $conf ... ... or execute an OpenSSL command with OPENSSL_CONF=$conf openssl ...
OpenXPKI::Crypto::Profile::Base, OpenXPKI::Crypto::Profile::CRL, OpenXPKI::Crypto::Profile::Certificate and OpenXPKI::Crypto::Backend::OpenSSL
|perl v5.20.3||OPENXPKI::CRYPTO::BACKEND::OPENSSL::CONFIG (3)||2016-04-03|