[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL with OpenSSL



manu@netbsd.org (Emmanuel Dreyfus) writes:

> Christian Kratzer <ck-lists@cksoft.de> wrote:
>
>> it is standard openssl behavior to load certs from CERTHASH.0 and crls
>> from CERTHASH.r0
>
> I am glad it makses some sense. Is it documented anywhere?

See man c_rehash, for example.

>> You can generate the hash from a certificate using "openssl x509 hash"
>> 
>>      ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert
>>      faf58a99
>>
>> You generally set a symlink from the hash to your certificate and crl using
>> 
>>      ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0
>>      ln -s CA.crl  `openssl x509 -noout -hash -in CA.cert`.r0
>
> I fixed the second like to be a link to the CRL  and not to the CA.
>
> It happily loads ${hash}.r0, it does not touch ${hash}.0, but it still
> looks for an inexistant ${hash}.r1 file. What should be there?

Another cert or crl with the same hash.  See the man page.
-- 
Regards,
Feri.