Pete Brett wrote:
>
> On Fri, 26 Mar 1999 20:57:16 +0100, you wrote:
>
> The index.txt file is made up of a series of lines (one per
> certificate issued). Each line contains the following fields:
>
> 1. Certificate state: This is a single character with 'V' for valid,
> 'E' for expired and 'R' for revoked.
>
> 2. Expiry date time string. I can not remember the exact format, but
> it should be fairly easy to work out.
>
> 3. Revokation date (same format as above)
>
> 4. index number (a unique identifier for a certificate for a given CA)
>
> There are some more fields which are not important to this exercise.
> All fields are seperated by tab characters (spaces will not make a
> good substitute).
>
> To revoke a certificate, find its entry in index.txt. The index number
> is the most reliable search field, although for small CAs, the CN may
> be more intuitive. Change the first field from a V to an R (revoked)
> and change the third field (which will presently be empty... note two
> tab characters after the expiry date - the revocation date goes
> between these) to the date time string when you want the cert to be
> revoked.
>
> The next step is to regenerate the CRL. I have forgotten the syntax,
> but if you have already generated one, this should not be a problem,
> and redistribute the CRL to all users. The revoked entry in the index
> file should not be removed until after the certificate expiry date.
>
> Hope this helps,
> Pete
Thanks very much. I was able to find tho format of the CRL date/time.
I think the format is:
YYMMDDhhmmssZ
where :
YY = 2 digits year ( why 2 digits ?? )
MM = 2 digits month
DD = 2 digits day of the month
hh = 2 digits hour
mm = 2 digits minutes
ss = 2 digits seconds
Z = ??? ( perhaps something reguarding GTM ??? I don't know )
So a revokated Certificate has the following format:
R 000325001805Z 000325150908Z 0D unknown /C=IT/O=OpenCA
Organizat
ion/OU=OpenCA Developer/CN=Massimiliano [EMAIL PROTECTED]
where the second date is the Revokation Date. Now for anyone who wants to know how
to issue a CRL, simply follow:
$ ssleay ca -gencrl >$crl_file
To view the CRL, use:
$ ssleay crl -outform TXT <$crl_file
To import a CRL into Netscape, it shuld be enough to do the following:
$ ssleay crl -in crl.pem -outform DER -out crl.der
now send the content to Netscape with the intestation:
Content-Type application/x-pkcs7-crl
Ok, I think this is all about CRL. If it is all ok, I suggest to include this
(or a better written one) document in the distribution.
See ya,
Massimiliano Pala ([EMAIL PROTECTED])
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
