[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: CRL with OpenSSL

To: manu@netbsd.org (Emmanuel Dreyfus)
Subject: Re: CRL with OpenSSL
From: Ferenc Wagner <wferi@niif.hu>
Date: Sun, 13 Apr 2014 12:38:48 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <1lk1do4.144eqzc8kyqbpM%manu@netbsd.org> (Emmanuel Dreyfus's message of "Sun, 13 Apr 2014 10:15:20 +0200")
References: <1lk1do4.144eqzc8kyqbpM%manu@netbsd.org>
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

manu@netbsd.org (Emmanuel Dreyfus) writes:

> Christian Kratzer <ck-lists@cksoft.de> wrote:
>
>> it is standard openssl behavior to load certs from CERTHASH.0 and crls
>> from CERTHASH.r0
>
> I am glad it makses some sense. Is it documented anywhere?

See man c_rehash, for example.

>> You can generate the hash from a certificate using "openssl x509 hash"
>> 
>>      ck@pohjola: {112} openssl x509 -noout -hash -in CA.cert
>>      faf58a99
>>
>> You generally set a symlink from the hash to your certificate and crl using
>> 
>>      ln -s CA.cert `openssl x509 -noout -hash -in CA.cert`.0
>>      ln -s CA.crl  `openssl x509 -noout -hash -in CA.cert`.r0
>
> I fixed the second like to be a link to the CRL  and not to the CA.
>
> It happily loads ${hash}.r0, it does not touch ${hash}.0, but it still
> looks for an inexistant ${hash}.r1 file. What should be there?

Another cert or crl with the same hash.  See the man page.
-- 
Regards,
Feri.

References:
- Re: CRL with OpenSSL
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: CRL with OpenSSL
Next by Date: LMDB: fast writes: removing the write mutex ?
Index(es):
- Chronological
- Thread