Sorry, just found out the script did not play nice with CAcert. Now using curl, which works correctly with SubjectAltName.
Regards, Joost -- Joost Cassee http://joost.cassee.net
#!/bin/sh # # Get all HTTP-accessable CRLs from CA certificates # # Copyright (C) 2007 Joost Cassee # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # The full license can be found at http://www.gnu.org/licenses/gpl.txt CRTDIR=/etc/ssl/certs CRLDIR=/var/lib/ssl/crl set -e cd $CRTDIR for crt in *.pem; do openssl x509 -noout -text -in $crt | \ egrep -A 1 '^ *X509v3 CRL Distribution Points: *$' | \ tail -n 1 | \ grep '^ *URI:' | \ cut -d: -f2- | \ while read url; do crlfile=$CRLDIR/$crt curl -s --capath /etc/ssl/certs -o $crlfile.tmp $url 2>&1 if openssl crl -noout -inform DER -in $crlfile.tmp 2>/dev/null; then openssl crl -inform DER -outform PEM -in $crlfile.tmp -out $crlfile rm $crlfile.tmp echo "CRL for $crt found" elif openssl crl -noout -in $crlfile.tmp 2>/dev/null; then mv $crlfile.tmp $crlfile echo "CRL for $crt found" else rm $crlfile.tmp echo "CRL for $crt in unknown format, removed" fi done done c_rehash $CRLDIR 2>&1 >/dev/null | grep -v '^WARNING: ' >&2
signature.asc
Description: OpenPGP digital signature