I am using 1.0.2g. CRL checking works fine on my certificate when I download
and save CRL in PEM format locally.
I noticed that “openssl verify” has this option:
-crl_download
Attempt to download CRL information for this certificate.
But it does not work for me. The CRL URL embedded in my certificate points to
CRL file of DER format, maybe this is the reason “download” didn’t work?
If I want to enable “automatic download” in C code, do I have to provide a
callback to X509_STORE_set_lookup_crls_cb or there is a simpler way (e.g. a
flag)?
If I must provide such a callback, do I need to handle DER vs PEM encoding in
the callback?
Thanks much.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
