GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  OPENXPKI::CRYPTO::BACKEND::OPENSSL::CONFIG (3)

.ds Aq ’

Name

OpenXPKI::Crypto::Backend::OpenSSL::Config

CONTENTS

Description

This module was designed to create an OpenSSL configuration on the fly for the various operations of OpenXPKI. The module support the following different section types:
- general OpenSSL configuration
- engine configuration
- new OIDs
- CA configuration
- CRL extension configuration
- certificate extension configuration
- CRL distribution points
- subject alternative names

Functions

- new
- set_engine
- set_profile
- set_cert_list This method prepares the OpenSSL-specific representation of the certificate database (index.txt). The method expects an arrayref containing a list of all certificates to revoke.

A single entry in this array may be one of the following:
o a single certificate (see below on how to specify a certificate)
o an arrayref of the format [ certificate, revocation_timestamp, reason_code, invalidity_timestamp ]

With the exception of the certificate all additional parameters are optional and can be left out.

If a revocation_timestamp is specified, it is used as the revocation timestamp in the generated CRL. The timestamp is specified in seconds since epoch.

The reason code is accepted literally. It should be one of
’unspecified’,
’keyCompromise’,
’CACompromise’,
’affiliationChanged’,
’superseded’,
’cessationOfOperation’,

The reason codes
’certificateHold’,
’removeFromCRL’. are currently not handled correctly and should be avoided. However, they will currently simply be passed in the CRL which may not have the desired result.

If the reason code is incorrect, a warning is logged and the reason code is set to ’unspecified’ in order to make sure the certificate gets revoked at all.

If a invalidity_timestamp is specified, it is used as the invalidity timestamp in the generated CRL. The timestamp is specified in seconds since epoch.

A certificate can be specified as
o a PEM encoded X.509v3 certificate (scalar)
o a reference to an OpenXPKI::Crypto::Backend::OpenSSL::X509 object
o a string containing the serial number of the certificate to revoke

Depending on the way the certificate to revoke was specified the method has to perform several actions to deduce the correct information for CRL issuance. If a PEM encoded certificate is passed, the method is forced to parse to parse the certificate before it can build the revocation data list. This operation introduces a huge overhead which may influence system behaviour if many certificates are to be revoked. The lowest possible overhead is introduced by the literal specification of the serial number to put on the revocation list.

NOTE: No attempt to verify the validity of the specified serial numbers is done, in particular in the raw serial number case there is even no check if such a serial number exists at all.

- dump
- get_config_filename

Example

my $profile = OpenXPKI::Crypto::Backend::OpenSSL::Config->new (
{
TMP => ’/tmp’,
}); $profile->set_engine($engine); $profile->set_profile($crl_profile); $profile->dump(); my $conf = $profile->get_config_filename(); ... execute an OpenSSL command with -config $conf ... ... or execute an OpenSSL command with OPENSSL_CONF=$conf openssl ...

See Also

OpenXPKI::Crypto::Profile::Base, OpenXPKI::Crypto::Profile::CRL, OpenXPKI::Crypto::Profile::Certificate and OpenXPKI::Crypto::Backend::OpenSSL
Search for    or go to Top of page |  Section 3 |  Main Index


perl v5.20.3 OPENXPKI::CRYPTO::BACKEND::OPENSSL::CONFIG (3) 2016-04-03

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.