[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL with OpenSSL

To: ck@cksoft.de (Christian Kratzer)
Subject: Re: CRL with OpenSSL
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sun, 13 Apr 2014 10:15:20 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <alpine.BSF.2.00.1404130910560.6508@pohjola.cksoft.de>
User-agent: MacSOUP/2.7 (unregistered for 2640 days)

Christian Kratzer <ck-lists@cksoft.de> wrote:

> it is standard openssl behavior to load certs from CERTHASH.0 and crls
> from CERTHASH.r0

I am glad it makses some sense. Is it documented anywhere?

> You can generate the hash from a certificate using "openssl x509 hash"
> 
>      ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert
>      faf58a99
>
> You generally set a symlink from the hash to your certificate and crl using
> 
>      ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0
>      ln -s CA.crl  `openssl x509 -noout -hash -in CA.cert`.r0

I fixed the second like to be a link to the CRL  and not to the CA.

It happily loads ${hash}.r0, it does not touch ${hash}.0, but it still
looks for an inexistant ${hash}.r1 file. What should be there?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: CRL with OpenSSL
  - From: Christian Kratzer <ck-lists@cksoft.de>
- Re: CRL with OpenSSL
  - From: Ferenc Wagner <wferi@niif.hu>

References:
- Re: CRL with OpenSSL
  - From: Christian Kratzer <ck-lists@cksoft.de>

Prev by Date: Re: CRL with OpenSSL
Next by Date: Re: CRL with OpenSSL
Index(es):
- Chronological
- Thread