Hi,thanks for attention.The CRLs expires all at the same time, all the CRL has the same "nextupdate" date and time.So all the CRLs are valid when I use them to validate the certificate. The situation is the one described as "real world". The CA manager has decided togenerate several CRLs, all valid, all with the same nextupdate attribute, the download url is likehttp://ca.domain.com/CRLn, where n is from 1 to 100.Into the CRL I've not seen a critical issuer distribution point extention. Sorry, but I've not understood what is the right way to check if the certificate is revoked in this case...and how I can configureopenssl to support multiple CRLs of the same issuer. I have to useone file for each CRL, and N symbolic link, or one file with all the CRL concatenated,and only one symbolic link? thanks in advance,M.M.
> Date: Mon, 14 Jun 2010 21:19:15 +0200 > From: st...@openssl.org > To: openssl-users@openssl.org > Subject: Re: openssl 1.0.0, multiple crls same issuer - revoked cert > > On Mon, Jun 14, 2010, Jakob Bohm wrote: > > > Note to list: I am aware of at least one public CA (TDC OCES) who (at least > > planned to) split > > their CRL into smaller parts, each covering only revocations for a range of > > certificate serial > > numbers. The certificates themselves then contained/contain different CRL > > download URLs > > depending on the serial number. > > > [snip] > > * I don't know if this CA practice is fully standards compliant, but it > > exists in the real world, > > As long as the appropriate extensions are included in the CRLs this is fine. > The CRL for example would have a critical issuer distribution point extention. > That way implementations that don't support IDP will reject the CRL due to > an unhandled critical extension. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org _________________________________________________________________ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969
