On Wed, Sep 27, 2023 at 09:06:58AM +0900, stephane Tranchemer wrote: > Hello, > > > > How-To-Repeat: > > > Create a config file for SSL certificates that declares to use the > > > x509_extensions crlDistributionPoints with a RUL target. > > > > > > Generate a certificate against this config, there should be the CRL > > > options > > > declared. > > As far as I can see, the problem is this: your crldp URI contains an IP > > address and you run into a check that the host component is not an IP > > address: > > > > https://github.com/openbsd/src/blob/master/lib/libcrypto/x509/x509_constraints.c#L52 > > That's right, I tried with a FQDN and it was much more happier. > Quite nasty that a behavior not supposed to work did work until one day > someone finally fixes it, quite confusing.
Well. Arguably there is a bug. I'm not sure. > Another trouble I found, maybe it's my conf again(?) is that I am unable to > use a section to call out to define common options for x509extensions. > Example, this does not work: > > [ ca ] default_ca = Domain-CA [ Domain-CA ] ... x509_extensions = > common_options > > [ common_options ] crlDistributionPoints = > URI:http://my_machine_fqdn/crl/root.crl nsComment = "Generated Certificate > for Company" subjectKeyIdentifier = hash authorityKeyIdentifier = > keyid,issuer Please work this into an example explaining in detail what you expect to see and what you do see and what commands you run.
