Florian Delacroix wrote:
>
> Hi all,
>
> I have generated an empty CRL, added a cert ands signed the CRL using
> following commands.
> X509_CRL_new
> sk_X509_REVOKED_push
> X509_CRL_sign
>
That's not enough. You have to set up a few other things as well.
Specifically the CRL issuer name and lastUpdate. You don't have to set
thisUpdate but it is recommended.
I don't think there are any functions that actually do this at present
so you'll have to access the X509_CRL structure directly: there's an
example in apps/ca.c, just look for 'gencrl' and you should find it.
This could be regarded as invalid ASN1 behaviour: it should really
return an error if an attempt is made to encode a structure and some of
the mandatory fields have not been initialized properly. The new ASN1
may fix this at some point.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
