Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help


       This module was designed	to create an OpenSSL configuration on the fly
       for the various operations of OpenXPKI. The module support the
       following different section types:

       - general OpenSSL configuration
       - engine	configuration
       - new OIDs
       - CA configuration
       - CRL extension configuration
       - certificate extension configuration
       - CRL distribution points
       - subject alternative names

       - new
       - set_engine
       - set_profile
       - set_cert_list
	   This	method prepares	the OpenSSL-specific representation of the
	   certificate database	(index.txt). The method	expects	an arrayref
	   containing a	list of	all certificates to revoke.

	   A single entry in this array	may be one of the following:

	   o   a single	certificate (see below on how to specify a

	   o   an arrayref of the format [ certificate,	revocation_timestamp,
	       reason_code, invalidity_timestamp ]

	   With	the exception of the certificate all additional	parameters are
	   optional and	can be left out.

	   If a	revocation_timestamp is	specified, it is used as the
	   revocation timestamp	in the generated CRL.  The timestamp is
	   specified in	seconds	since epoch.

	   The reason code is accepted literally. It should be one of

	   The reason codes
	     'removeFromCRL'.  are currently not handled correctly and should
	   be avoided. However,	they will currently simply be passed in	the
	   CRL which may not have the desired result.

	   If the reason code is incorrect, a warning is logged	and the	reason
	   code	is set to 'unspecified'	in order to make sure the certificate
	   gets	revoked	at all.

	   If a	invalidity_timestamp is	specified, it is used as the
	   invalidity timestamp	in the generated CRL.  The timestamp is
	   specified in	seconds	since epoch.

	   A certificate can be	specified as

	   o   a PEM encoded X.509v3 certificate (scalar)

	   o   a reference to an OpenXPKI::Crypto::Backend::OpenSSL::X509

	   o   a string	containing the serial number of	the certificate	to

	   Depending on	the way	the certificate	to revoke was specified	the
	   method has to perform several actions to deduce the correct
	   information for CRL issuance.  If a PEM encoded certificate is
	   passed, the method is forced	to parse to parse the certificate
	   before it can build the revocation data list.  This operation
	   introduces a	huge overhead which may	influence system behaviour if
	   many	certificates are to be revoked.	 The lowest possible overhead
	   is introduced by the	literal	specification of the serial number to
	   put on the revocation list.

	   NOTE: No attempt to verify the validity of the specified serial
	   numbers is done, in particular in the "raw serial number" case
	   there is even no check if such a serial number exists at all.

       - dump
       - get_config_filename

       my $profile = OpenXPKI::Crypto::Backend::OpenSSL::Config->new (
			 TMP	=> '/tmp',
		     }); $profile->set_engine($engine);
       $profile->set_profile($crl_profile); $profile->dump(); my $conf =
       $profile->get_config_filename();	... execute an OpenSSL command with
       "-config	$conf" ...  ...	or execute an OpenSSL command with
       "OPENSSL_CONF=$conf openssl" ...

See Also
       OpenXPKI::Crypto::Profile::Base,	OpenXPKI::Crypto::Profile::CRL,
       OpenXPKI::Crypto::Profile::Certificate and

perl v5.24.1			 OpenXPKI::Crypto::Backend::OpenSSL::Config(3)

Name | Description | Functions | Example | See Also

Want to link to this manual page? Use this URL:

home | help