[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL with OpenSSL

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: CRL with OpenSSL
From: Christian Kratzer <ck-lists@cksoft.de>
Date: Sun, 13 Apr 2014 09:23:01 +0200 (CEST)
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <1lk113g.1b5n6z71jsbydgM%manu@netbsd.org>
References: <1lk113g.1b5n6z71jsbydgM%manu@netbsd.org>
User-agent: Alpine 2.00 (BSF 1167 2008-08-23)

Hi,

On Sun, 13 Apr 2014, Emmanuel Dreyfus wrote:
<snipp/>

Why the cryptic file names? And why do I need a second 0726b466.r1 file?
Using TLS_CRLCHECK    peer instead of TLS_CRLCHECK    all does not
change the behavior.

And is OpenSSL CRL supposed to work? This is OpenLDAP 2.4.33


it is standard openssl behavior to load certs from CERTHASH.0 and crls from CERTHASH.r0

You can generate the hash from a certificate using "openssl x509 hash"

    ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert
    faf58a99

You generally set a symlink from the hash to your certificate and crl using

    ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0
    ln -s CA.crl  `openssl x509 -noout -hash -in CA.cert`.r0


This logic is buried somewhere deep inside openssl and is activated when
you configure the CA directory instead of explicit certs.

Greetings
Christian

--
Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

Follow-Ups:
- Re: CRL with OpenSSL
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- CRL with OpenSSL
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: CRL with OpenSSL
Next by Date: Re: CRL with OpenSSL
Index(es):
- Chronological
- Thread