On Mon Jul 29 23:00:40 2013, [email protected] wrote: > While attempting to build an indirect CRL signing role, I managed to > come up with a way to revoke a certificate but allow it to pass the > CRL checks of the verify utility. I'm not yet sure if this is a bug > or if the chain I created is invalid in some way. >
I had a quick look and I think the problem is that it is an indirect CRL which can cover multiple CAs and that in the absence of other information it is defaulting to the CRL issuer name for CRL entries rather than the CA name. As a result it can't find any entries for CA name and so doesn't return revoked. By using the Certificate Issuer CRL extension you can change that but OpenSSL doesn't currently include an option to set it in the ca utility. There is a rather simpler way you can achieve what I think you want. What you do in the CA certificate is to include keyUsage *without* the CRLSign bit set and then issue a certificate from that CA with the *same name* as the CA but with CRLSign asserted. Make sure you include SKID/AKID in the certificates and CRLs. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
