The openssl ca command has a switch -create_serial. This switch allows the creation of a serialnumber file for certificates. I think it is useful also for the creation of a crl number file.
Furthemore, if crlnumbers are used then similar to certificates, it seems useful to me to have all crls in the crl directory (which can already been configured).
enclosed find a patch for 0.9.8b TIA for considering this. Peter
--- openssl-0.9.8b/apps/ca.c 2005-09-30 18:47:15.000000000 +0200
+++ ps/ca.c 2006-06-14 11:58:44.541224000 +0200
@@ -824,14 +824,14 @@ bad:
/*****************************************************************/
/* lookup where to write new certificates */
- if ((outdir == NULL) && (req))
+ if ((outdir == NULL) && (req || gencrl))
{
struct stat sb;
- if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
+ if ((outdir=NCONF_get_string(conf,section,gencrl?ENV_CRL_DIR:ENV_NEW_CERTS_DIR))
== NULL)
{
- BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
+ BIO_printf(bio_err,"there needs to be defined a directory for new %s to be placed in\n",gencrl?"certificate":"CRL");
goto err;
}
#ifndef OPENSSL_SYS_VMS
@@ -1252,7 +1252,7 @@ bad:
fgets(buf[0],10,stdin);
if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))
{
- BIO_printf(bio_err,"CERTIFICATION CANCELED\n");
+ BIO_printf(bio_err,"CERTIFICATION CANCELLED\n");
ret=0;
goto err;
}
@@ -1360,7 +1360,7 @@ bad:
if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER))
!= NULL)
- if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL)
+ if ((crlnumber=load_serial(crlnumberfile,create_ser,NULL)) == NULL)
{
BIO_printf(bio_err,"error while loading CRL number\n");
goto err;
@@ -1448,7 +1448,7 @@ bad:
tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
if (!tmpser) goto err;
X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0);
- ASN1_INTEGER_free(tmpser);
+ /* ASN1_INTEGER_free(tmpser); */
crl_v2 = 1;
if (!BN_add_word(crlnumber,1)) goto err;
}
@@ -1465,6 +1465,57 @@ bad:
if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
+ if (tmpser) {
+ int k;
+ char *n;
+ j=tmpser->length;
+ p=(const char *)tmpser->data;
+ if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8))
+ {
+ BIO_printf(bio_err,"CRL file name too long\n");
+ goto err;
+ }
+
+ strcpy(buf[2],outdir);
+
+#ifndef OPENSSL_SYS_VMS
+ BUF_strlcat(buf[2],"/",sizeof(buf[2]));
+#endif
+
+ n=(char *)&(buf[2][strlen(buf[2])]);
+ if (j > 0)
+ {
+ for (k=0; k<j; k++)
+ {
+ if (n >= &(buf[2][sizeof(buf[2])]))
+ break;
+ BIO_snprintf(n,
+ &buf[2][0] + sizeof(buf[2]) - n,
+ "%02X",(unsigned char)*(p++));
+ n+=2;
+ }
+ }
+ else
+ {
+ *(n++)='0';
+ *(n++)='0';
+ }
+ *(n++)='.'; *(n++)='c'; *(n++)='r'; *(n++)='l';
+ *n='\0';
+ if (verbose)
+ BIO_printf(bio_err,"writing %s\n",buf[2]);
+
+ if (BIO_write_filename(Cout,buf[2]) <= 0)
+ {
+ perror(buf[2]);
+ goto err;
+ }
+
+ PEM_write_bio_X509_CRL(Cout,crl);
+
+ ASN1_INTEGER_free(tmpser);
+ }
+
PEM_write_bio_X509_CRL(Sout,crl);
if (crlnumberfile != NULL) /* Rename the crlnumber file */
smime.p7s
Description: S/MIME Cryptographic Signature
