On 2016/09/14 3:09 PM, Tuomo Soini wrote:
Attempts to import a CRL file into the NSS database using
crlutil fail with "crlutil: unable to import CRL:
SEC_ERROR_CRL_INVALID: New CRL has an invalid format."
All crls are expected to be in der format but pem is supported too.
Your error sounds like crl is not in correct format. That also explains
why you don't see your crl in ipsec auto --listcrls.
Okay, not sure what's going on here, but upon further testing:
1. Convert crl.pem to crl.der using
"crl -in crl.pem -out crl.der -outform der"
is successful. Placing crl.der in /etc/ipsec.d/crls and performing
"ipsec auto --rereadcrls"
gives exactly the same success message as the PEM file did, but still no
joy on "ipsec auto --listcrls".
2. However, attempting to import the DER format file into the NSS
database works, and (without doing another ipsec auto --reread),
"ipsec auto --listcrls"
now produces the following:
000
000 List of CRLs:
000
000 issuer: C=CA, ST=Alberta, L=Edmonton International Airport,
O=Morningstar Air Express Inc., OU=Information Technology,
CN=MAEI Root Certificate, [email protected]
000 revoked certs: 14
000 updates: this Tue Sep 13 14:01:02 2016
000 next Sun Mar 12 14:01:02 2017
So not sure what's going on with either the PEM format file or loading
certs from /etc/ipsec.d/crls, neither of which are working in my case,
but I appear to have a functioning workaround so it's not critical.
Nels Lindquist
----
<[email protected]>
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
