Hello! If I revoke a certificate using the ca command and manually set the invalidity date with the -crl_compromise option, the revocation reason is automatically set to keyCompromise. If I try to override this behaviour by setting -crl_compromise and -crl_reason (to something else, like affiliationChanged), the invalidity date is simply ignored.
This is limiting the possibilities of the CRL generation, and is not required by the coresponding RFC 5280: "The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid..." (see http://tools.ietf.org/html/rfc5280#section-5.3.2 ) I tested the scenario above under openssl 1.0.0c and openssl-fips 1.2, Linux 2.6.37-i586 regards Mathias
smime.p7s
Description: S/MIME cryptographic signature
