Hi, On Sun, 13 Apr 2014, Emmanuel Dreyfus wrote:
Christian Kratzer <[email protected]> wrote:it is standard openssl behavior to load certs from CERTHASH.0 and crls from CERTHASH.r0I am glad it makses some sense. Is it documented anywhere?
propably somewhere in the openssl documentation. I have been setting up these symlinks for ages and can't remember where the reference is.
You can generate the hash from a certificate using "openssl x509 hash" ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert faf58a99 You generally set a symlink from the hash to your certificate and crl using ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0 ln -s CA.crl `openssl x509 -noout -hash -in CA.cert`.r0I fixed the second like to be a link to the CRL and not to the CA. It happily loads ${hash}.r0, it does not touch ${hash}.0, but it still
As you have explicitly configured you CA cert it does not need to look via hash. It propably would when encountering a cert signed by a different CA than the one you configured but I am not that 100% on the actual logic.
looks for an inexistant ${hash}.r1 file. What should be there?
Propably an update to the crl. You would have to lookup the openssl docs to be sure. Greetings Christian -- Christian Kratzer CK Software GmbH Email: [email protected] Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/
