[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL with OpenSSL


On Sun, 13 Apr 2014, Emmanuel Dreyfus wrote:
Christian Kratzer <ck-lists@cksoft.de> wrote:

it is standard openssl behavior to load certs from CERTHASH.0 and crls
from CERTHASH.r0

I am glad it makses some sense. Is it documented anywhere?

propably somewhere in the openssl documentation.  I have been setting
up these symlinks for ages and can't remember where the reference is.

You can generate the hash from a certificate using "openssl x509 hash"

     ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert

You generally set a symlink from the hash to your certificate and crl using

     ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0
     ln -s CA.crl  `openssl x509 -noout -hash -in CA.cert`.r0

I fixed the second like to be a link to the CRL  and not to the CA.

It happily loads ${hash}.r0, it does not touch ${hash}.0, but it still

As you have explicitly configured you CA cert it does not need to look via hash.

It propably would when encountering a cert signed by a different CA than
the one you configured but I am not that 100% on the actual logic.

looks for an inexistant ${hash}.r1 file. What should be there?

Propably an update to the crl.  You would have to lookup the openssl
docs to be sure.


Christian Kratzer                   CK Software GmbH
Email:   ck@cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/