Hi,
On Sun, 13 Apr 2014, Emmanuel Dreyfus wrote:
Christian Kratzer ck-lists@cksoft.de wrote:
it is standard openssl behavior to load certs from CERTHASH.0 and crls from CERTHASH.r0
I am glad it makses some sense. Is it documented anywhere?
propably somewhere in the openssl documentation. I have been setting up these symlinks for ages and can't remember where the reference is.
You can generate the hash from a certificate using "openssl x509 hash"
ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert faf58a99You generally set a symlink from the hash to your certificate and crl using
ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0 ln -s CA.crl `openssl x509 -noout -hash -in CA.cert`.r0I fixed the second like to be a link to the CRL and not to the CA.
It happily loads ${hash}.r0, it does not touch ${hash}.0, but it still
As you have explicitly configured you CA cert it does not need to look via hash.
It propably would when encountering a cert signed by a different CA than the one you configured but I am not that 100% on the actual logic.
looks for an inexistant ${hash}.r1 file. What should be there?
Propably an update to the crl. You would have to lookup the openssl docs to be sure.
Greetings Christian