It looks like we need to support indirect CRL Issuers at least for CRL's issued for ourselves.
I have done most of the work. It looks I don't quite know how to generate CRLs with the indirect CRL issuer or I don't know how to generate the CRL issuer's certificate using the root certificate. So I have added the CRL issuer's cert to the trusted ones. But when I'm trying to use the CRL i get stopped here: crl_akid_check() { ... if(X509_check_akid() // this is where if fails and inside X509_check_akid() ... /* Check key ids (if present) */ if(akid->keyid && issuer->skid && ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) ) return X509_V_ERR_AKID_SKID_MISMATCH; There's definitely something I don't know about AKID's and how to set them properly. To help you out here are the certificates and CRLs (i have masked some fields): ******* Our ROOT cert ************************************* Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=TestMoregaRootCA, C=CA, O=TestMorega Validity Not Before: Jun 8 00:29:30 2010 GMT Not After : Jun 3 00:29:30 2030 GMT Subject: CN=TestMoregaRootCA, C=CA, O=TestMorega Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... 6c:68:70:a5:c1:7e:5e:b8:e4:82:ff:6d:c6:3 X509v3 extensions: X509v3 Subject Key Identifier: 70:8F:22:BC:D7:55:20:6E:00:D7:3A:D3:70:40:F5:49:91:20:90:60 X509v3 Authority Key Identifier: keyid:70:8F:22:BC:D7:55:20:6E:00:D7:3A:D3:70:40:F5:49:91:20:90:60 DirName:/CN=TestMoregaRootCA/C=CA/O=TestMorega serial:00 X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE ******** CRL Issuer Cert issued by the root **************** Certificate: Data: Version: 3 (0x2) Serial Number: 20 (0x14) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=TestMoregaRootCA, C=CA, O=TestMorega Validity Not Before: Mar 16 18:31:26 2011 GMT Not After : Mar 11 18:31:26 2031 GMT Subject: C=CA, O=TestMorega, CN=TestMoregaCRLIssuer Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: ... 1c:52:ce:81:2c:50:52:30:43 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 7F:AC:68:90:EE:3C:8B:7B:6D:0E:A0:71:68:BE:57:D0:45:42:E9:C6 X509v3 Authority Key Identifier: keyid:70:8F:22:BC:D7:55:20:6E:00:D7:3A:D3:70:40:F5:49:91:20:90:60 DirName:/CN=TestMoregaRootCA/C=CA/O=TestMorega serial:00 X509v3 Key Usage: critical Digital Signature, CRL Sign ******** A sample CRL issued by the Indirect CRL Issuer **** Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=CA/O=TestMorega/CN=TestMoregaCRLIssuer Last Update: Mar 17 12:56:55 2011 GMT Next Update: Apr 16 12:56:55 2011 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:7F:AC:68:90:EE:3C:8B:7B:6D:0E:A0:71:68:BE:57:D0:45:42:E9:C6 DirName:/CN=TestMoregaRootCA/C=CA/O=TestMorega serial:14 X509v3 Issuing Distrubution Point: critical Full Name: URI:http://localhost/ Indirect CRL Authority Information Access: CA Issuers - URI:http://localhost/crlissuer.cer ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org