Hi, I have a index.txt database where all the "R" (revoked) and "E" (expired) lines were removed, only the "V" (valid) entries are left. When I generate a new CRL it doesn't contain any certificates since this process parses the database and can't find any revoked certificates.
The problem now is, that I need a proper CRL. That's why I tried the following: Every database entry looks like that: V<tab>200807100345Z<tab><tab>05<tab>unknown<tab>/C=--/ST=Statebla/L=Citybla/O=Orgbla/OU=OrganizationalUnitbla/CN=foo/emailAddress=foo@somehostname The 4th column contains a serial number which is incremented by 0x01 everytime a new certificate is added. If I find a gap in the serial numbers in two consecutive database entries, I just fill this missing entry with a dummy revoke entry. Example: I have a database which contains those two consecutive entries. The first has the serial 0x05, the second 0x07. The entry with the serial 0x06 is missing, since it was an "R" or "E" entry and someone deleted it. ... V<tab>200707100345Z<tab><tab>05<tab>unknown<tab>/C=--/ST=Statebla/L=Citybla/O=Orgbla/OU=OrganizationalUnitbla/CN=user1/emailAddress=user1@somehostname V<tab>200907100345Z<tab><tab>07<tab>unknown<tab>/C=--/ST=Statebla/L=Citybla/O=Orgbla/OU=OrganizationalUnitbla/CN=user3/emailAddress=user3@somehostname ... Now I would add and entry to the database, so that the database looks like that: ... V<tab>200707100345Z<tab><tab>05<tab>unknown<tab>/C=--/ST=Statebla/L=Citybla/O=Orgbla/OU=OrganizationalUnitbla/CN=user1/emailAddress=user1@somehostname R<tab>200807100345Z<tab>200807100345Z<tab>06<tab>unknown<tab>/C=--/ST=Statebla/L=Citybla/O=Orgbla/OU=OrganizationalUnitbla/CN=dummy1/emailAddress=dummy1@somehostname V<tab>200807100345Z<tab><tab>07<tab>unknown<tab>/C=--/ST=Statebla/L=Citybla/O=Orgbla/OU=OrganizationalUnitbla/CN=user3/emailAddress=user3@somehostname ... After that I generated a CRL (I own the CA) which then contained the certificate with the serial 0x06. My question now is, would that be a proper workaround or is there a better solution? Since the CRL only contains the serial numbers of the certificates, this seems to work although it is not a very good solution. Thanks for your help, Martin ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
