Re: CRL with OpenSSL

To: Emmanuel Dreyfus <manu@netbsd.org>

Subject: Re: CRL with OpenSSL

From: Erwann Abalea <eabalea@gmail.com>

Date: Mon, 14 Apr 2014 11:17:37 +0200

Cc: Christian Kratzer <ck@cksoft.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2owdpmevPW75ShjKglxxwmnvPeNPVXnzuzPk9RyLWJI=; b=SvZJDUccjWj/tdEWmakZZQrmsLlMCwDXD9JD9ifskzzsXWXgoi5wmSoAf9XT3to02h 5r0t0iQcmae3Hun6UuKKPS7uLwUxNu1KbzR1bhGH21YxktTck+Hb3eV3kvxp8PnoH44z JjxYx+jO65K2v/T9Syw3UQIZbXSdup6n2Ht3O9tA6IHkfY/fwv05NKheyODsQSNQ+m7/ +ezt7TwOC0CVIwElMHzDU83HE8cFHbjU9gyTMljTuAsdy3QVQ7RC2ZuApfQXlYnDcw+y SIeLkp2YbNIyhafaQ9j/+Hy+z1eanxAN6/6viksFqVVXYnVaP6NjjxTs0eaiiM2xO4Jf Ii3w==

In-reply-to: <20140414083233.GE6253@homeworld.netbsd.org>

References: <1lk1ixl.dak40mksqfj7M%manu@netbsd.org> <alpine.BSF.2.00.1404131220040.17764@pohjola.cksoft.de> <20140414083233.GE6253@homeworld.netbsd.org>

It considers that the CRL found at "hash".r0 isn't valid or sufficient to give a revocation status of your certificate.

Could you post the subscriber certificate, its issuing CA cert, and the corresponding CRL somewhere?

2014-04-14 10:32 GMT+02:00 Emmanuel Dreyfus <manu@netbsd.org>:

On Sun, Apr 13, 2014 at 12:21:10PM +0200, Christian Kratzer wrote:
> >I think this is because the CRL Next Update is in the past. ÂI will
> >renew the CRL to check that.
>
> yes an expired crl will usually cause validation to fail.

Now with a valid CRL, I still have the same problem: it loads
/etc/openssl/certs/0726b466.r0, then tries and fails on:
/etc/openssl/certs/0726b466.r1
/etc/openssl/cert.pem/0726b466.r0

And then it fails with this complain:
TLS certificate verification: Error, unable to get certificate CRL

--
Emmanuel Dreyfus
manu@netbsd.org

--
Erwann.

Follow-Ups:

Re: CRL with OpenSSL
- From: manu@netbsd.org (Emmanuel Dreyfus)

References:

Re: CRL with OpenSSL
- From: manu@netbsd.org (Emmanuel Dreyfus)
Re: CRL with OpenSSL
- From: Christian Kratzer <ck-lists@cksoft.de>
Re: CRL with OpenSSL
- From: Emmanuel Dreyfus <manu@netbsd.org>