On 09/05/2012 03:11 PM, Martin Willi wrote: > Hi Claude, > >> crluri=VPNCA-crl.pem >> fetching crl from 'VPNCA-crl.pem' ... >> crl fetching failed > crluri takes an URI, not a file name (see ipsec.conf (5)). It might have > worked with pluto, but it certainly does not with charon. > >> fetching crl from >> 'file:///usr/local/strongswan/etc/ipsec.d/crls/VPNCA-crl.pem' ... > A X.509 CRL distribution point always points to a DER encoded CRL (see > [1]). We tread crluri the exactly same way, hence it must be encoded as > DER, too. > >> issuer of fetched CRL 'C=LU,[...]' does not match CRL issuer >> 'f8:fd:2f:da:23:be:ee:8b:b4:fd:2b:d0:98:5c:c1:5f:1e:5b:74:ac' > The relation between CRL and CRL issuer is resolved using the CRL > authorityKeyIdentifier. This means that the CRL must contain an > authorityKeyIdentifier equal to the subjectKeyIdentifier of the CRL > issuer (see [2]). > > Regards > Martin > > [1]http://tools.ietf.org/html/rfc5280#section-4.2.1.13 > [2]http://tools.ietf.org/html/rfc5280#section-5.2.1 > Hi Martin,
Thanks for the explanations. I don't see an authorityKeyIdentifier in my CRL, but my openssl.cnf contains : [ crl_ext ] authorityKeyIdentifier = keyid:always,issuer:always Isn't this correct ? kind regards, Claude -- Claude Tompers Ingénieur réseau et système Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
