Dr. Stephen Henson wrote:
On Wed, Apr 05, 2006, Holger Menzer wrote:Hello,is it possible to implement indirect Certificate Revocation Lists with OpenSSL? There is an entry in the man page to x509v3_config [1], saying it cannot currently be set or displayed... But maybe someone hacked it anyway(- by using ASN.1 or DER for example). If it's possible, how can it be done?You can create the things using OpenSSL 0.9.9-dev only. They are also displayed correctly. Correctly partitioning the CRLs is down to the user setting the config correctly. The config file format for that option isn't documented but it isn't hard to work out. Just include the string "indirectCRL" and it will set the flag. The OpenSSL verify code does not currently support them, it may well do in the not too distant future. Steve.
Sorry, OpenSSL don't want my configuration... In which context I have to include "indirectCRL"? I tried it at nearly every place...
And is the cRLissuer extension supported? Cheers, Holger
smime.p7s
Description: S/MIME Cryptographic Signature
