Re: [Openca-Users] Problems with CRL

Thu, 12 Jul 2001 09:22:48 -0700 

Michael Bell wrote:



> > ........Then I (CA) can manually move this certificate from the "validcerts" 
>directory
> > to the "revoked" directory.
>
> Only moving is not enough. You can see which OpenSSL command is used to
> revoke a certificate in OpenCA::OpenSSL's sub revoke.
>
> > ..................................................
> > how can I, from the PEM or DER certificates just revoked, get a cacrl.crl file,
> > containing the revoked certificates, to be importable by Netscape ?
> > I don't know how to manually build the DER format of this file, importable by 
>browser.
> > Are there any pieces of code, anywhere in the new version, useful for this goal ?
>
> Here you can have a look into OpenCA::OpenSSL again. The function is
> issueCRL.
> ...................
> Hope this helps
>
> Michael

Thanks, I'm just beginning to undestand, but I still have some doubts.
I try to explain:

I have to build the functions for:

1) revoking a certificate
2) issuing a CRL.

because the existing relative functions in 0.8.0 interact with DBmodule,
while I have to interact with simple directories.
So I basically need to understand :

1) what's the real return of the command "openssl ca -revoke $filename ....";
2) this is a description of "sub issueCrl()" , taken from OpenCA-OpenSSL-0.8.0a/ 
OpenSSL.pm
:


           sub issueCrl () - Issue a CRL.

        This function is used to issue a CRL. Accepted parameters
        are:

                CAKEY   - CA private key file;
                CACERT  - CA certificate file;
                PASSWD  - Password to decrypt priv. CA key(*);
                DAYS    - Days the CRL will be valid for(*);
                EXTS    - Extentions to be added ( see the openssl.cnf
                          pages for more help on this )(*);
                EXTFILE - Extensions file to be used (*);
                OUTFILE - Output file(*);
                OUTFORM - Output format (PEM|DER|NET|TXT)(*);


   But really I expected , as one of the arguments, the just revoked certificate
   or the old revoked certificates to update the old CRL  :-(


I suppose I'm not very clear headed (see my questions as a proof :-) )
so I'll thank for every possible answer

cheers
marco


_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to