Hello! If I revoke a certificate using the ca command and manually set the invalidity date with the -crl_compromise option, the revocation reason is automatically set to keyCompromise. If I try to override this behaviour by setting -crl_compromise and -crl_reason (to something else, like affiliationChanged), the invalidity date is simply ignored.
Is there some paritcular reason, why the ca command autmatically implicates a compromised key when an invalidity date is set? The corresponding RFC 5280 does not require this behaviour: "The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid..." (from http://tools.ietf.org/html/rfc5280#section-5.3.2 ) regards Mathias P.S.: I tested the scenario above under openssl 1.0.0c and openssl-fips 1.2 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org