On Thu, Apr 27, 2006, Martin Mller wrote: > Thank you for your quick answer. Im a bloody rookie in owning a CA. > > So my next Problem: > My Debian Sarge doesnt write a CRL after the command openssl ca -revoke > client2N.cert. Im getting the following messages > > Using configuration from /usr/lib/ssl/openssl.cnf > Enter pass phrase for /usr/lib/ssl/misc/demoCA/private/cakey.pem: > Revoking Certificate 934E2BFFA8B8036A. > Data Base Updated > > So, where is the DB? I cant find one in the subdirectories unter > /usr/lib/ssl/ . The files which are in there, are completly empty and > they dont get a new modificationdate. >
Should be a file called index.text under demoCA but if openssl.cnf has been modified from the OpenSSL default it could be elsewhere. > When I try to create e CRL (openssl ca -gencrl -out newca.crl) I get the > follwing error: > > > Using configuration from /usr/lib/ssl/openssl.cnf > Enter pass phrase for /usr/lib/ssl/misc/demoCA/private/cakey.pem: > unable to load number from /usr/lib/ssl/misc/demoCA/crlnumber > error while loading CRL number > 3591:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short > line:f_int.c:215: > > The file newca.crl is created, but whats about the crlnumber? > What is in the crlnumber file? Seems like there is a bug in the CA.pl script which doesn't automatically create it. The file should contain an even number of hex digits. If a CRL has never been issued before it should contain 01. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
