As long as nobody could help me I continued my search on my own and found the following http://tools.ietf.org/html/draft-ietf-pkix-ocdp-00 In chapter 3 you can find: …Examples of CRL partition scopes are:
(1) All of the certificates of a CA with serial numbers between 10,000 and 19,999 inclusive. … The scope of a CRL is indicated within that CRL using the following CRL extension: cRLScope EXTENSION ::= { SYNTAX CRLScopeSyntax IDENTIFIED BY { <oid tbd> } } CRLScopeSyntax ::= SEQUENCE { serialNumberRange [0] NumberRange OPTIONAL, subjectKeyIdRange [1] NumberRange OPTIONAL, nameSubtrees [2] GeneralNames OPTIONAL, notBeforeRange [3] NotBeforeRange OPTIONAL, onlyContainsUserCerts [4] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [5] BOOLEAN DEFAULT FALSE, onlySomeReasons [6] ReasonFlags OPTIONAL, indirectCRL [7] BOOLEAN DEFAULT FALSE } NumberRange ::= SEQUENCE { startingNumber INTEGER, endingNumber INTEGER, modulus INTEGER OPTIONAL } notBeforeRange ::= SEQUENCE { startingNotBeforeTime GeneralizedTime, endingNotBeforeTime GeneralizedTime } …. What I had in mind (in my initial post) is something like the serialNumberRange but now I don’t know how to handle it. Just copying the crlscope into my crl extension section doesn’t work. In the following you can see my openssl.cnf. When I try to create a CRL with the command „openssl ca –gencrl –out my.crl“ I get the following error: error on line 87 of config file `/opt/myca/openssl.cnf` 6434: error:0E066065:configuration file routines:CONF_load_bio:missing equal sign:conf_def.c:366:line 87 Here is my openssl.cnf where I marked the line 87: ################# I’ve added this but I guess that I’ll have to enter something here because this ###########section is quiet empty ;-) oid_section = [ new_oids ] [ new_oids ] ################ [ ca ] default_ca = myca [myca ] dir = /opt/myca # Where everything is kept certificate = $dir/cacert.pem # The CA certificate database = $dir/index.txt # database index file. new_certs_dir = $dir/certs # default place for new certs. private_key = $dir/private/cakey.pem # The private key serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber default_crl_hours= 1 # how long before next CRL default_days = 365 # how long to certify for default_md = md5 # which md to use. policy = myca_policy x509_extensions = certificate_extensions # copy_extensions = copy crl_extensions = crl_ext [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = optional organizationName = supplied organizationalUnitName = optional [certificate_extensions] basicConstraints = CA:false crlDistributionPoints= URI:http://192.168.0.2/my.crl [ req ] default_bits = 2048 default_keyfile = /opt/myca/private/cakey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ crl_ext ] ############################################## and I’ve added this section cRLScope EXTENSION ::= { ##line 87 SYNTAX CRLScopeSyntax IDENTIFIED BY { <oid tbd> } } CRLScopeSyntax ::= SEQUENCE { serialNumberRange [0] NumberRange OPTIONAL, subjectKeyIdRange [1] NumberRange OPTIONAL, nameSubtrees [2] GeneralNames OPTIONAL, notBeforeRange [3] NotBeforeRange OPTIONAL, onlyContainsUserCerts [4] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [5] BOOLEAN DEFAULT FALSE, onlySomeReasons [6] ReasonFlags OPTIONAL, indirectCRL [7] BOOLEAN DEFAULT FALSE } NumberRange ::= SEQUENCE { startingNumber INTEGER, endingNumber INTEGER, modulus INTEGER OPTIONAL } notBeforeRange ::= SEQUENCE { startingNotBeforeTime GeneralizedTime, endingNotBeforeTime GeneralizedTime } ################################################ [ root_ca_distinguished_name ] commonName = my CA stateOrProvinceName = some state countryName = US organizationName = some organization [ root_ca_extensions ] basicConstraints = CA:true Thank you for reading my post. I hope that somebody might help me to include the crlScope stuff or help me with some other solution. best regards domi -- View this message in context: http://www.nabble.com/Question-about-Partitioned-CRLs--how-to-split-a-CRL--tf3419056.html#a9549707 Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]