On 28 Oct 2013, at 11:56, redpath <redp...@us.ibm.com> wrote: > I would like to know why the openssl CA command to revoke a cert > (myfiletorevoke) > needs the CA cert other than the cert I want to revoke. > > openssl ca -revoke myfiletorevoke -keyfile cakey -cert cacert -passin > pass:CApass -config myconfig > > I noticed that the command does not modify the cert I want to revoke anyway, > well at least the date > stays the same and the -text shown is the same.
If you parse the resulting CRL file (openssl crl -inform DER -in file.crl -text -noout) you'll notice that it contains the Issuer and Authority Key Identifier; these are taken from the CA cert. While for each entry the serial # is taken from the cert you are revoking. There is not much checking done - so it is quite possible (and sometimes useful in case of complex cross signing/separate revocation threes as often used in Europe) to add a serial # of a cert with a different Authority Key Identifier to a signed CRL file. Hope that helps. Dw.______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org