I’m trying to understand some code someone wrote as a wrapper for the openssl library / tool, with a view to updating it.
I'm completely new to openssl and PKI in general. I found the following docs / references to help navigate but I wasn't able to find answer to my question.
http://users.dcc.uchile.cl/~pcamacho/tutorial/crypto/openssl/openssl_intro.html
http://www.madboa.com/geek/openssl/
But I wasn't able to find the answer to my question.
GOAL
What I need to accomplish is to modify some code so that duplicate certs with the same common name and email addresses CANNOT be created if the cert is still active. I am planning on checking the index.txt to see if a cert with the same common name exists, and if it hasn't been revoked, I'll prevent user from creating it again.
Problem:
When I create a certificate using this webtool, I see that the index.txt file in /etc/ssl/ is updated with a record starting with a "V". When I revoke a certificated, the V is changed to R. However, when I delete a certificate, nothing is updated in the index.txt file. The record remains the same -it's not updated with a new status, nor is it deleted from the file.
QUESTIONS
Is it a bug that the openssl index.txt file is not updated when a cert is deleted?
If it is, what is the command to update the index.txt to remove a cert?
Maybe the wrapper is where the problem is ... the developer may have just forgotten to run a command line tool to update in index.txt file? I guess I just don't know how openssl is supposed to handle a cert deletion and therefore, i can't tell if i have a bug or not... and who's bug it is.
Is there a way using the openssl toolset to check for duplicate certs so that I don't have to manually check index.txt?
Thanks for the help.
Deleting a certificate is not an operation a CA would typically implement. To make a certificate invalid before the validity period ends, it is revoked. But they are not normally deleted, since a CA would want to track which certificates it has issued. So I am not sure why you are looking into deleting certificates.
However, you seem to be using openssl ca
with the example CA scripts bundled with OpenSSL. Depending on your exact needs, you might be looking for the unique_subject
configuration file option which enforces that only a single valid certificate for any subject can exist at the same time.