Dr. Stephen Henson wrote:
On Fri, Nov 10, 2006, Jean-Marc Desperrier wrote:
[...]
That led me to use a modified index.txt with "openssl ca
-gencrl" where the entries are not in the order of the serial number.
But the crl openssl generates always has the certificate entries
reordered in the order of their serial number.
[...]
No there's no requirement to do that just OpenSSL does it that way. When it
uses CRLs it can reorder the revoked entries into serial number order so if
they are presorted that saves a bit of time.
You can stop this by commenting out the X509_crl_sort() line in apps/ca.c
Thanks that will be helpful. Just, that's X509_CRL_sort :-)
Whilst we're at it : In the documentation for openssl ca, I think it
would be best to mention in the "-crlexts section" paragraph that the
crl number extension should be set by using the crlnumber configuration
file option, and not through that section*.*
**
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]