Hi all, The attached patch allows the use of -startdate and -enddate parameters with the 'ca -gencrl' command for directly setting lastUpdate and nextUpdate CRL fields. This is the first time that I needed to modify OpenSSL source code, so while the patch is very simple and works for me, I'd appreciate it if someone more knowledgeable took a look at it.
The two date parameters are already available when signing certificate requests, but CRL generation is limited to using -crldays and -crlhours (and -crlsec in 1.0+) for indirectly setting the nextUpdate field. The lastUpdate field is set to the current system time, which isn't always the appropriate choice. I'm trying to schedule CRLs for publication in the future. Changing just the nextUpdate field seems to be insufficient. Firefox, for instance, refuses to update the CRL when the new one uses the same lastUpdate timestamp as the current CRL. The error message is: The application cannot import the Certificate Revocation List (CRL). New CRL is older than the current one. This could be a bug in Firefox, but even so, I think it would be useful to have more direct control over the validity period of the generated CRLs. - Max
openssl-0.9.8-gencrl.patch
Description: Binary data
openssl-1.0.1-gencrl.patch
Description: Binary data
