On Fri, Oct 20, 2006, Karsten Ohme wrote:
I have created a CA and want to generate CRLs for another CA, i.e. an
indirectCRL. How can this be done with the command line? I also want to
add a CRL extensions to it. How is the syntax for the
IssuingDistributionPoint extension in openssl.cnf?
Currently OpenSSL CRL generation is only possible through the 'ca' utility so
you need to setup (or generate) files in the appropriate format for it. You'd
have to configure it so that the CRL issuer certificate is set up as the CA
for the ca utility.
IDP has only been recently added to OpenSSL so you need the 0.9.9-dev version
to use it. Documentation is available though the website didn't update it for
some reason. Check the docs with 0.9.9-dev or:
http://www.openssl.org/docs/apps/x509v3_config.html#Issuing_Distribution_Point
Note that currently OpenSSL will not verify such a CRL properly though it can
be made to issue one.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
