Re: Signed Certificates and Revoking the Certs with CRLs

Fri, 01 Oct 2010 05:56:35 -0700 

On Fri, Oct 01, 2010, Hasan Rezaul-CHR010 wrote:

> Thank You sooo much Kyle and Tomas,
> 
> Another question. I have a Linux machine that is running   openssl 0.9.8g.
> It looks like it uses CRL Version 1 ?  Is this correct ?  Is there a way to
> force my openssl 0.9.8g to use CRL version 2  ???
> 
> In my network system, I have a Linux machine that has its own certificate,
> and we have an external EJBCA server that we use to revoke certificates and
> generate CRLs. The EJBCA supports CRLs per RFC 5280, which supposedly means
> that it supports X.509 version 2 CRLs ?
> 
> When we revoke the Linux machine's certificate on the EJBCA server,
> successfully download the CRL from the EJBCA server onto my Linux machine,
> {even though the serial number of the Linux machine's certificate appears in
> the downloaded CRL file}, my Linux machine doesn't seem to be affected by
> the CRL at all  :-(  I made sure the openssl.cnf  file points to the
> downloaded CRL file, and no effect whatsoever !
> 
> 
> Now, when I generate self-signed certificates on the Linux machine, and I
> also generate corresponding CRL using openssl commands, this method does
> seem to work, in the sense that the revoked certificate is no longer usable. 
> 
> I compared the CRLs in the self-sgned case compared to the CRLs generated by
> the EJBCA.  The self-signed CRL was version 1,   and the EJBCA generated CRL
> was version 2.
> 
> Is there any obvious reason why openssl0.9.8g, which seems to run with CRL
> Version 1, doesn't seem to work with a downloaded CRL that happens to be
> version 2 CRL ?
> 
> Again, is there a way to force openssl 0.9.8g to work with version 2 CRLs ?
> 
> Please help. Thanks a bunch in advance...
> 

You don't say which piece of software you are trying to get to work with CRLs.

The openssl.cnf file is used to generate CRLs but not to actually use them.

OpenSSL should work fine with V2 CRLs.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to