On Fri, Oct 20, 2006, Karsten Ohme wrote: > > I have created a CA and want to generate CRLs for another CA, i.e. an > indirectCRL. How can this be done with the command line? I also want to > add a CRL extensions to it. How is the syntax for the > IssuingDistributionPoint extension in openssl.cnf? >
Currently OpenSSL CRL generation is only possible through the 'ca' utility so you need to setup (or generate) files in the appropriate format for it. You'd have to configure it so that the CRL issuer certificate is set up as the "CA" for the ca utility. IDP has only been recently added to OpenSSL so you need the 0.9.9-dev version to use it. Documentation is available though the website didn't update it for some reason. Check the docs with 0.9.9-dev or: http://www.openssl.org/docs/apps/x509v3_config.html#Issuing_Distribution_Point Note that currently OpenSSL will not verify such a CRL properly though it can be made to issue one. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
