I have now excluded the issuer from both the end entity cert and the crl. So only keyid is being injected. The result is the same, both IE and FF report an error that the crl is invalid. Here is what I am using in the extensions config file for the crl: #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = $dir # Where everything is kept database = $dir/index.txt # database index file. crlnumber = $dir/crlnum unique_subject = no [ crl_ext ] authorityKeyIdentifier=keyid:always Here is what I have in the extensions for the cert: subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always crlDistributionPoints=URI:http://crl1.networksolutions.com/SiteSafeSSL.c rl,URI:http://crl2.networksolutions.com/SiteSafeSSL.crl basicConstraints = critical, CA:false keyUsage=critical, digitalSignature, keyEncipherment extendedKeyUsage=serverAuth, clientAuth nsCertType = server, client certificatePolicies=ia5org,@polsect1 [polsect1] policyIdentifier = 1.3.6.1.4.1.782.1.2.1.19.1 CPS=http://www.networksolutions.com/legal/SSL-legal-repository-cps-SiteS afe.jsp Again here is the URL for the crl and test site: http://crl1.networksolutions.com/SiteSafeSSL.crl <http://crl1.networksolutions.com/SiteSafeSSL.crl> https://www.netsol-test-site-4.com <https://www.netsol-test-site-4.com> I am really hoping that I am missing something really simple here. Any help with this would be much appreciated. Regards, Don
Donald E. Bynum Director, Architecture & Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bynum, Don Sent: Saturday, September 15, 2007 3:54 PM To: openssl-users@openssl.org Subject: RE: [openssl-users] Bad CRL being generated - Help That is an interesting and accurate observation. i agree that the issuer and authority should be the same, that I can fix. Another question though: if i had not included the issuer in the cert or in the CRL, i.e. only have the authority keyid present (which are the same in the CRL and the cert) do you think that the problem would still have been there? Regards, Don Bynum Donald E. Bynum Director, Architecture & Integration O: 703.668.5616 | M: 301.367.2072 | www.networksolutions.com ________________________________ From: [EMAIL PROTECTED] on behalf of Erwann ABALEA Sent: Sat 9/15/2007 14:37 To: openssl-users@openssl.org Subject: Re: [openssl-users] Bad CRL being generated - Help Bonsoir, Hodie XVII Kal. Oct. MMVII est, Bynum, Don scripsit: > i have been setting up a CA and have one hurdle which I cannot figure > out. I have geberated a CRL (currently with no revoked certs). It is > regerenced in the CRL Distribution Points extension of the end entity > certs. I can open the CRL with IE by browsing to the CRL URI. I can > import it into Firefox. However, when browsing to a site (IE or FF) with > a cert from the CA of the CRL, I get an error saying that the CRL is > invalid. > > You can see this for yourself : > [1]http://crl1.networksolutions.com/SiteSafeSSL.crl > A test site for this is at [2]https://www.netsol-test-site-4.com <https://www.netsol-test-site-4.com/> Taken from the CRL: Issuer: /CN=SiteSafe SSL/O=Network Solutions LLC/C=US CRL extensions: X509v3 Authority Key Identifier: keyid:2A:CB:BC:20:CE:C6:DF:9A:1C:AD:A5:C6:38:86:BB:5C:01:32:A6:B4 DirName:/C=US/O=Network Solutions LLC/CN=SiteSafe serial:0A The Issuer and authorityKeyIdentifier/DirName should point to the same authority, i.e. should have the same exact name. Order is important, and it's reversed, here. I think that usual software don't use the DirName and/or serial part of the authorityKeyIdentifier extension, only the keyId (and in fact, I made some tests a few months ago, Firefox didn't follow the keyId, when IE did). So I assume that the validating software uses the Issuer field of the CRL to check if it has been signed by the same CA. My guess is that the real name of your CA is the one we can see in the extension, not the one set in the Issuer field. Could you check it? -- Erwann ABALEA <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org <http://www.openssl.org/> User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
<<netsollogo.gif>>
