Hi there: One other thing to keep in mind is that the DN for the CRLDP *SHOULD* be the same as that for the CA that signs the CRL. I believe this is a "Best Practice", and not completely normative, but it is well enough enshrined (USFBCA CP and all cross-certified CA's, Canadian Govn't, etc.), that to be safe, if at all possible, you should follow this guidance.
To answer your question, a simple way to do this is to create an LDIF file, which has : DN: Whatever you choose changetype: modify replace: certificateRevocationList;binary certificateRevocationList;binary:< file:///path/to/crl.der and then run it through ldapmodify from the command line. Oh - and the LDAP URL has to specify the ;binary as well...and the objectclass should be pkiCA, not certificateRevocationList. Have fun, Patrick. On 10/04/10 8:40 AM, Michael Ströder wrote: > shake kvc wrote: >> >> I want to be able to store CRLs in the openldap repository so that I can >> retrieve them using a LDAP client. >> >> Basically, the client would be given a LDAP URL as follows: >> >> ldap://xxx.yyy.com/CN=Challenger(1),CN=xxx,CN=C >> DP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=yyy,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint >> >> The client would then open a LDAP request and search for the CRL. >> >> So I guess my problem would be to be able to store the CRL in cn=CDP, which >> belongs to cn=Public Key Services, which is in cn=Services, which is in >> cn=Configuration, which is in dc=yyy,dc=com. >> >> I have already installed openldap and created a suffix "dc=xxx,dc=com". >> >> However, I didn't see any manual to install/publish the CRL there. > > This is rather a LDAP-related question. You might want to ask on the > l...@umich.edu or the openldap-technical mailing list. The only thing which is > OpenSSL-specific is that the CRL has to be generated/converted with -outform > DER. > > Ciao, Michael. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
