Re: CRL with OpenSSL

13 Apr 2014


      Hi,
On Sun, 13 Apr 2014, Emmanuel Dreyfus wrote:
<snipp/>
...
Why the cryptic file names? And why do I need a second 0726b466.r1 file?
Using TLS_CRLCHECK    peer instead of TLS_CRLCHECK    all does not
change the behavior.
And is OpenSSL CRL supposed to work? This is OpenLDAP 2.4.33
it is standard openssl behavior to load certs from CERTHASH.0 and crls from CERTHASH.r0
You can generate the hash from a certificate using "openssl x509 hash"
ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert
     faf58a99
You generally set a symlink from the hash to your certificate and crl using
ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0
     ln -s CA.crl  `openssl x509 -noout -hash -in CA.cert`.r0
This logic is buried somewhere deep inside openssl and is activated when
you configure the CA directory instead of explicit certs.
Greetings
Christian
-- 
Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: CRL with OpenSSL