Hi, > I have found the same and as Oliver already mentioned, this has been broken > for a long time. What I did to solve this issue was to use the information in > the certificate itself. You can get the URL of the CRL from the certificate > with a very simple script. The URL from the certificate came from the > configuration specifically config.d/realm.tpl/profile/default.yaml. > > You could put a valid value there and all the generated certificates would > have that URL where you can download the CRL.
You are right. Inclusion of a CDP and/or OCSP AIA is the preferred way of distributing revocation information resources anyway, and many crypto library implementations and products already come with built-in mechanisms to process this information. This is why the GetCRL SCEP operation is commonly not used at all. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
