hello, Fred easiest would be to insert the extension crlDistributionPoints=URI:http://your.server.com/your.crl in the section [usr_cert] of your working openssl.cnf. If you need ldap-URIs, create a subsection for the URIs.
Best regards, Michael Am 2002-08-23 20:31 Uhr schrieb "Reimer, Fred" unter <[EMAIL PROTECTED]>: > Hello, > > I'm definitely a newbie here, but I'm attempting to use OpenSSL with > FreeS/WAN to connect a Linux box up to a Check Point VPN-1 NG FP-2 firewall. > I created a CA (on a separate box) and used the CA cert to create an "OPSEC > PKI" CA server object in the firewall. Then I generated a request for the > firewall and created a cert on the CA. I also created a separate request > for the Linux box and signed this, so the Linux box has it's key and cert in > the /etc/ipsec.d directory and the firewall accepted the cert that was > generated for it. The problem, it appears is that the firewall doesn't know > how to get a CRL for the CA, and apparently won't proceed without one. This > is the error it gives when the Linux box sends its cert over the IKE > session: > > 13:46:11 drop 1.1.1.1 >daemon src 2.2.2.2 dst 1.1.1.1 peer gateway > 2.2.2.2scheme: IKE IKE: Main Mode No valid CRL. > [EMAIL PROTECTED],CN=mack.ens.eclipsys.com,OU=IVNS,O=Eclip > sys Corporation,ST=Georgia,C=US CookieI 3759eee447cec449 CookieR > db05e82d36988563 methods: 3DES + MD5, RSA signatures community LinuxIntranet > product VPN-1 & FireWall-1 > 13:46:11 keyinst 1.1.1.1 >daemon src 1.1.1.1 dst 2.2.2.2 peer gateway > 2.2.2.2 scheme: IKE IKE: Main Mode Sent Notification: invalid certificate > CookieI 3759eee447cec449 CookieR db05e82d36988563 community LinuxIntranet > product VPN-1 & FireWall-1 > > I edited the openssl.cnf file so that nsCaRevocationUrl points to the > correct URL for the CRL, which I generated and can get with wget, for > instance. After that I totally reconfigured everything, throwing away the > whole directory structure for the CA, recreating a new CA and certificates, > taking everything out of the firewall configuration and recreating a new CA > with the new CA cert, replacing the keys on the Linux box, etc. It still > gives that error, and I don't see the URL for the CRL in any certificates. > So, how does one specify where to get the CRL for a particular CA from? > Apparently this is something that Check Point requires before accepting any > certs... > > > Thanks for any assistance! > > - Fred > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
