Hi,
On Sun, 13 Apr 2014, Emmanuel Dreyfus wrote:
Christian Kratzer <ck-lists(a)cksoft.de> wrote:
> it is standard openssl behavior to load certs from CERTHASH.0 and crls
> from CERTHASH.r0
I am glad it makses some sense. Is it documented anywhere?
propably somewhere in the openssl documentation. I have been setting
up these symlinks for ages and can't remember where the reference is.
> You can generate the hash from a certificate using "openssl
x509 hash"
>
> ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert
> faf58a99
>
> You generally set a symlink from the hash to your certificate and crl using
>
> ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0
> ln -s CA.crl `openssl x509 -noout -hash -in CA.cert`.r0
I fixed the second like to be a link to the CRL and not to the CA.
It happily loads ${hash}.r0, it does not touch ${hash}.0, but it still
As you have explicitly configured you CA cert it does not need to look via hash.
It propably would when encountering a cert signed by a different CA than
the one you configured but I am not that 100% on the actual logic.
looks for an inexistant ${hash}.r1 file. What should be there?
Propably an update to the crl. You would have to lookup the openssl
docs to be sure.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web:
http://www.cksoft.de/