Hi Phil,
openssl is able to read the crl, output als follows (I changed the
URL/LDAP information):
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /DC=tld/DC=domain/CN=test
Last Update: Mar 5 14:08:35 2011 GMT
Next Update: Mar 13 02:28:35 2011 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:37:F6:0A:2D:71:71:DF:5B:F5:DB:90:FF:E4:4B:82:78:89:CB:E4:70
1.3.6.1.4.1.311.21.1:
...
X509v3 CRL Number:
20
1.3.6.1.4.1.311.21.4:
110312141835Z .
2.5.29.46:
0..0...........ldap:///blah,blah,blah
1.3.6.1.4.1.311.21.14:
0..0...........ldap:///blah,blah,blah
X509v3 Issuing Distrubution Point: critical
0-.+.).'http://domain.test/CA.crl
Revoked Certificates:
Serial Number: 3459AE3300000000001D
Revocation Date: Mar 5 14:18:00 2011 GMT
Serial Number: 33C46D66000000000014
Revocation Date: Mar 5 13:57:00 2011 GMT
Serial Number: 131C3587000000000008
Revocation Date: Feb 16 07:24:00 2011 GMT
Serial Number: 130CDC92000000000006
Revocation Date: Feb 16 07:24:00 2011 GMT
Signature Algorithm: sha256WithRSAEncryption
5f:b6:ab:6e:30:cd:47:c2:97:e5:e9:3b:bc:c9:8e:76:22:74:
ee:95:c5:1e:54:ed:a6:67:c7:a5:e1:90:d5...
At least this seems to work...
I forgot one thing: I think it *worked* during my first try. The error
started when I downloaded the CRL for a second (third, fourth....) time.
Am 08.03.2011 14:06, schrieb Phil Mayers:
On 08/03/11 13:01, Rudolph Bott wrote:
Tue Mar 8 13:09:48 2011 : Error: --> verify error:num=36:unhandled
critical CRL extension
This comes out of OpenSSL. OpenSSL can't parse your CRL.
You may need a newer version of OpenSSL; what does:
openssl crl -text -noout -in <thefile.pem> -inform pem
...say?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Mit freundlichen Grüßen/With Kind Regards
Rudolph Bott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
