Re: CRL with OpenSSL

[Christian Kratzer <ck-lists@cksoft.de>]

Hi,

On Sun, 13 Apr 2014, Emmanuel Dreyfus wrote:
> Christian Kratzer <ck-lists@cksoft.de> wrote:
>
> > it is standard openssl behavior to load certs from CERTHASH.0 and crls
> > from CERTHASH.r0
>
> I am glad it makses some sense. Is it documented anywhere?

propably somewhere in the openssl documentation.  I have been setting
up these symlinks for ages and can't remember where the reference is.

> > You can generate the hash from a certificate using "openssl x509 hash"
> >
> >      ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert
> >      faf58a99
> >
> > You generally set a symlink from the hash to your certificate and crl using
> >
> >      ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0
> >      ln -s CA.crl  `openssl x509 -noout -hash -in CA.cert`.r0
>
> I fixed the second like to be a link to the CRL  and not to the CA.
>
> It happily loads ${hash}.r0, it does not touch ${hash}.0, but it still

As you have explicitly configured you CA cert it does not need to look via hash.

It propably would when encountering a cert signed by a different CA than
the one you configured but I am not that 100% on the actual logic.

> looks for an inexistant ${hash}.r1 file. What should be there?

Propably an update to the crl.  You would have to lookup the openssl
docs to be sure.

Greetings
Christian

--
Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/