Dear OpenSSL users,
currently using openssl version 1.0.1d on Win32 and Linux and we're
about to use
indirect crls. The main intent is to keep the RCAs secrets in a vault.
Since we found no commandline support for this, we wrote a class to
generate the needed
crls. Verifying a end-e
ing this? Is it more safe to
completely disregard an expired CRLs?
--Dan
On Fri, Dec 11, 2015 at 9:15 AM Erwann Abalea
wrote:
> Bonjour,
>
> The problem with signing with a default certificate is that the response
> certainly won’t be accepted by the client (see RFC6960 section 4.2.2
» may seem a correct answer also, but not quite (see below).
The meaning of those different results is explained in RFC6960 and RFC5019.
Of course, if you’re using CRLs as an authoritative source of certificate
status, RFC5280 is to be read also.
Reading the algorithm described in RFC5280 section
t;> does the OCSP responder cert be the signing cert itself or was it signed
>> by the same signing cert that signed the cert you want to validate?
>>
>> or specific to your sample: did CAS/IC\ ABC\ CA3\ DEV.cer sign both
>> CERTS/0x500c8bd-revoked.pem and the OCSP respon
Bonsoir,
The OCSP responder can respond « unknown » if it doesn’t know the status of the
requested certificate. « Unknown » can generally not be used when the issuer is
not known, because such a response is signed, and if the responder doesn’t know
about the issuer, it can’t choose its own cert
ssl.org/mailman/listinfo/openssl-users
>
> *smime.p7s* (5K) Download Attachment
> <http://openssl.6102.n7.nabble.com/attachment/61605/0/smime.p7s>
>
>
> --
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://openssl.6102.n
Hi Dan,
On 10.12.2015 16:27, daniel bryan wrote:
*TEST #2: *Next test was using OCSP:
[dan@canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile
VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert
CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080
/Response verify O
Hello,
I was researching how expired CRLs affect revocation checking via openssl.
* TEST #1: *The first test was to find out what status is returned when i
verify a certificate against the CRL:
[dan@canttouchthis PKI]$ openssl verify -CAfile CAS/cabundle.pem -CRLfile
CRLS/ABC-expired.crl
Am 19.11.14 um 17:20 schrieb Stephan Mühlstrasser:
Hi,
via X509_LOOKUP_load_file() resp. X509_LOOKUP_add_dir() I'm adding a PEM
file containing multiple CRLs and/or a directory containing hashed CRL
files to a X509_STORE.
Then I'm using the X509_verify_cert() function to verify a c
Hi,
via X509_LOOKUP_load_file() resp. X509_LOOKUP_add_dir() I'm adding a PEM
file containing multiple CRLs and/or a directory containing hashed CRL
files to a X509_STORE.
Then I'm using the X509_verify_cert() function to verify a certificate.
After verification is successful, I
Bonjour,
Le 27/08/2013 18:14, Thaddeus Fuller a écrit :
Hello all,
I had a couple questions about X509 CRLs.
1) It appears that OpenSSL does not check my tree against the CRLs I provide.
If I revoke my own leaf certificate, and establish mutually-authenticated SSL,
OpenSSL does not prevent
Hello all,
I had a couple questions about X509 CRLs.
1) It appears that OpenSSL does not check my tree against the CRLs I provide.
If I revoke my own leaf certificate, and establish mutually-authenticated SSL,
OpenSSL does not prevent the connection from going through. However if I revoke
the
Hello,
I've encountered a strange problem with multiple CRLs and authentication.
I've been using a script to download and prepare roughly 200 CRLs, placing
them in the correct folder and rehashing them as is proper. I tell (in this
case) freeradius to use the external command open
In the OpenSSL API there's a method for looking up certificates/CRLs in the
given directory based on a hash. Namely X509_LOOKUP_hash_dir() (see
x509_vfy.h). The typical usage is to add X509_LOOKUP_hash_dir() to the
X509_STORE store and then add directories to the lookup object. Usuall
On 10/27/2012 02:51 PM, Graham Leggett wrote:
Section 4.1 says:
Encoding considerations: will be none for 8-bit transports and most
likely Base64 for SMTP or other 7-bit transports
What I'm after is how to interpret section 4.1 in the context of HTTP content
negotiation.
Regards,
Graham
he CRL
>> is PEM encoded or DER encoded.
>>
>> Is there a Content-Encoding for PEM specified somewhere?
>>
>> Would "Content-Encoding: base64" be good enough, or should this be
>> "Content-Encoding: x-base64"? (Or perhaps "pem" o
DER encoded.
>
> Is there a Content-Encoding for PEM specified somewhere?
>
> Would "Content-Encoding: base64" be good enough, or should this be
> "Content-Encoding: x-base64"? (Or perhaps "pem" or "x-pem").
The same RFC also says tha
Hi all,
I understand as per RFC2585 that the MIME type for a CRL is
application/pkix-crl, but I am struggling to figure out whether there is a way
to specify using MIME types and/or content negotiation whether the CRL is PEM
encoded or DER encoded.
Is there a Content-Encoding for PEM specified
do is build a three level chain to sign files:
>> - a root cert
>> - an user cert
>> - and end cert
>>
>> At the user level a revocation list can be produced to revoke the user's end
>> certs.
>> I create a PEM file with a detached signature, and I includ
to revoke the user's end
>> certs.
>> I create a PEM file with a detached signature, and I include in that the
>> user cert and the end cert.
>>
>> After receiving the file, I do the following:
>> - concatenate all the CRLs AND the root cert in
ion list can be produced to revoke the user's end
certs.
I create a PEM file with a detached signature, and I include in that the user
cert and the end cert.
After receiving the file, I do the following:
- concatenate all the CRLs AND the root cert in a single file named chain.tmp
- extrac
#x27;s end
certs.
I create a PEM file with a detached signature, and I include in that the user
cert and the end cert.
After receiving the file, I do the following:
- concatenate all the CRLs AND the root cert in a single file named chain.tmp
- extract the certs from the SMIME message:
openss
{
ok = check_cert(ctx);
if (!ok) return ok;
}
}
return 1;
}
crl_check_required(int i) in the default (most simplistic case) could
just do a check on CRLDP in the certificate. And if as
On Wed, Mar 16, 2011, Jeff Saremi wrote:
> So as per previous posts, I implemented lookup_crl().
> Now one of the major problems is what do I return from this method, if
> the certificate has no CRL distribution points!
> Returning an empty stack causes get_crl_delta() to fail.
> Is there a flag t
So as per previous posts, I implemented lookup_crl().
Now one of the major problems is what do I return from this method, if
the certificate has no CRL distribution points!
Returning an empty stack causes get_crl_delta() to fail.
Is there a flag that I can setup to let this cert be excluded from CR
> Try supplying your own lookup_crls() implementation instead. This can be much
> simpler and just needs to return any CRLs which match the supplied X509_NAME
> value. If there are multiple CRLs it will pick the most appopriate.
>
> Steve.
> --
> Dr Stephen N. Henson.
Thanks Patrick. Unfortunately this has be a part of our code to run on
various platforms. If you know of any openssl-based implementation that
does this and is opensource please let me know so at least I could use
that as an example.
>
> Patrick Patterson
> Tue, 15 Mar 2011 13:11:11 -0700
>
> Hi
et.
Try supplying your own lookup_crls() implementation instead. This can be much
simpler and just needs to return any CRLs which match the supplied X509_NAME
value. If there are multiple CRLs it will pick the most appopriate.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commerci
Here are some more interesting points that I'm banging my head against
the wall until I find the answer:
- Overwriting get_crl forces you to provide your own CRL checking logic
as well. Specifically two things need to be set during this check which
are required witin check_cert():
a) score of this
Hi Jeff:
If you are looking for a solution that not only handles CRL but OCSP as well,
you might want to check out Pathfinder:
http://www.carillon.ca/tools/pathfinder.php
It allows you to easily add a custom callback to the _verify() routines that
will enable all of this. It also does caching
I seriously need help with this piece. I searched the forum and I could
not find what i was looking for.
During an SSL handshake, I need to be able to examine the CRL
distribution points on a certificate (chain), download them, and pass
them along to OpenSSL for further revocation checks.
I thought
e CRL version 2 ???
>
> In my network system, I have a Linux machine that has its own certificate,
> and we have an external EJBCA server that we use to revoke certificates and
> generate CRLs. The EJBCA supports CRLs per RFC 5280, which supposedly means
> that it supports X.509 versio
Hmm, I use v2 CRLs (issued from EJBCA) all the time with apache mod_ssl
for example, and that uses openssl in the back-end of course. No
problems there. All on Linux machines as well.
If openssl can check the CRLs, e.g. with 'openssl crl' it should be no
problem. If you ge
own certificate, and
we have an external EJBCA server that we use to revoke certificates and
generate CRLs. The EJBCA supports CRLs per RFC 5280, which supposedly means
that it supports X.509 version 2 CRLs ?
When we revoke the Linux machine's certificate on the EJBCA server,
success
:
Certificates and CRLs may be used in conjunction such that certificate
CSRs are generated, signed by an authority, then signed certs downloaded
and being used on a system.
At a later time, the certificate is revoked in the CRL, the CRL.pem file
is downloaded on the system, and then the corresponding cert
promulgate the fact that a certificate's status is in abeyance. (The
other is OCSP.) For this to work, the end system must update its
local copy of the CRL before it can put any trust in it. It is
important to note that OpenSSL does not provide a means to *retrieve*
CRLs (it doesn'
Hi All,
Would anyone kindly point me to literature that CLEARLY explains exactly
how:
Certificates and CRLs may be used in conjunction such that certificate
CSRs are generated, signed by an authority, then signed certs downloaded
and being used on a system.
At a later time, the certificate is
Hi!
I would like to know what is the most common way to handle certificat
revokation? Is it OSCP protocol or CRLs?
Firefox seems to handle both to some extent, but the default seems to be
only use OSCP if the certificate extensions specifies a server. My
CRL database is empty, but has a manual
dards compliant, but
it
exists in the real world,
As long as the appropriate extensions are included in the CRLs this is
fine.
The CRL for example would have a critical issuer distribution point
extension.
That way implementations that don't support IDP will reject the CRL due to
an
er.
>
The mod_ssl code uses OpenSSL to verify the certificate but has its own CRL
processing logic: i.e. it looks up CRLs and processes them using its own code.
So you'd need to modify mod_ssl. Another issue with mod_ssl is that CRLs are
only downloaded when the server starts up: you n
Hi,
when I saw that with mod_ssl there the crl check did not work on
multiple CRLs of the same issuer, I tried to to the "openssl verify" command
specified in my first email, using N file, one for each CRL, with N sym link,
or one file (concatenating all CRLs in one file) with on
l number.
>>>
>>>
>> [snip]
>>
>>>* I don't know if this CA practice is fully standards compliant, but
>>> it
>>> exists in the real world,
>>>
>> As long as the appropriate extensions are included in th
On Tue, Jun 15, 2010, matteo mattau wrote:
>
> Hi,
>
> since there is no IDP extention into CRLs, please how I can do to
>
> check all the CRLs?
>
> I'm using apache + mod_ssl (and so openssl) to verify client authentication.
>
> Please could you help me
Hi,
since there is no IDP extention into CRLs, please how I can do to
check all the CRLs?
I'm using apache + mod_ssl (and so openssl) to verify client authentication.
Please could you help me telling how I can modify
the call to "SSL_X509_STORE_lookup" to loop on all "
certificates themselves then contained/contain different CRL
download URLs
depending on the serial number.
[snip]
* I don't know if this CA practice is fully standards compliant, but it
exists in the real world,
As long as the appropriate extensions are included in the
On Mon, Jun 14, 2010, matteo mattau wrote:
>
> Hi,thanks for attention.The CRLs expires all at the same time, all the CRL
> has the same "nextupdate" date and time.So all the CRLs are valid when I use
> them to validate the certificate. The situation is the one described
Hi,thanks for attention.The CRLs expires all at the same time, all the CRL has
the same "nextupdate" date and time.So all the CRLs are valid when I use them
to validate the certificate.
The situation is the one described as "real world". The CA manager has decided
togenera
then contained/contain different CRL
> download URLs
> depending on the serial number.
>
[snip]
> * I don't know if this CA practice is fully standards compliant, but it
> exists in the real world,
As long as the appropriate extensions are included in the CRLs this is fin
On 14-06-2010 18:47, matteo mattau wrote:
Hi,
I saw the thread "Multiple CRL with same issuer" on this mailing list,
and I have the
same problem:
for one CA issuer I have 100 CRLs, and if the revoked certificate is
not in the first CRL
(in my case is the 11th CRL), openssl verify
On Mon, Jun 14, 2010, matteo mattau wrote:
>
> Hi,
> I saw the thread "Multiple CRL with same issuer" on this mailing list, and I
> have the
> same problem:
>
> for one CA issuer I have 100 CRLs, and if the revoked certificate is not in
> the first CRL
>
Hi,
I saw the thread "Multiple CRL with same issuer" on this mailing list, and I
have the
same problem:
for one CA issuer I have 100 CRLs, and if the revoked certificate is not in the
first CRL
(in my case is the 11th CRL), openssl verify return ok.
I have downloaded and install
u, Feb 04, 2010, Adam Grossman wrote:
> > > >
> > > > > hello once again,
> > > > >
> > > > > i am trying to get CRLs working for client certs. i have read about a
> > > > > million different ways of doing this, but this is how i
On Thu, 2010-02-04 at 20:17 +0100, Dr. Stephen Henson wrote:
> On Thu, Feb 04, 2010, Adam Grossman wrote:
>
> > On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote:
> > > On Thu, Feb 04, 2010, Adam Grossman wrote:
> > >
> > > > hello once again
On Thu, Feb 04, 2010, Adam Grossman wrote:
> On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote:
> > On Thu, Feb 04, 2010, Adam Grossman wrote:
> >
> > > hello once again,
> > >
> > > i am trying to get CRLs working for client certs. i have re
On Thu, 2010-02-04 at 18:09 +0100, Dr. Stephen Henson wrote:
> On Thu, Feb 04, 2010, Adam Grossman wrote:
>
> > hello once again,
> >
> > i am trying to get CRLs working for client certs. i have read about a
> > million different ways of doing this,
On Thu, Feb 04, 2010, Adam Grossman wrote:
> hello once again,
>
> i am trying to get CRLs working for client certs. i have read about a
> million different ways of doing this, but this is how i am doing it:
>
> X509_CRL *x509_c;
> X509_STORE *store = SSL_CTX_get_cert_stor
hello once again,
i am trying to get CRLs working for client certs. i have read about a
million different ways of doing this, but this is how i am doing it:
X509_CRL *x509_c;
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
X509_LOOKUP* lu = X509_STORE_add_lookup(store, X509_LOOKUP_file
Ok I was close. If anyone is interested, you can set up a directory
of CRLs in DER format by making the following calls:
X509_LOOKUP *lookup = X509_STORE_add_lookup(x509_store, X509_LOOKUP_hash_dir());
X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_ASN1);
After a little research I realized that
Hello,
I have a CRL directory that works fine with pem formatted CRLs. I'm using
SSL_CTX_load_verify_locations(...), to set up the directory with pem encoded
crls. I need to get a directory to work with der encoded CRLs. After
digging through some source I thought I might be able
If so, am I supposed to use X509_STORE_add* for the indirect crl signer cert
and the iCRL?
-Adam Rosenstein
Hi,
I want to implement HTTP download of CRLs from cert's
CrlDistributionPoints in my application (if any) and
include them in the verify process.
What was best practice or best design to do this
with OpenSSL? Are there certain callbacks I should use?
Or even a sample I missed in the source
I had an off by one error when I tried to read the top of the stack back
and that no longer seg faults but I still have the problem when I go to
sort and sign the CRL.
Bram Cymet wrote:
> Sorry I should have been more clear. I am compiling from the 0.9.8k
> source off the openssl.org website on li
Sorry I should have been more clear. I am compiling from the 0.9.8k
source off the openssl.org website on linux. SLES 11 to be exact.
Kyle Hamilton wrote:
> Er. Which 'build' of openssl, and which website? (There's the
> slproweb.com build of OpenSSL for Windows, currently at 0.9.8k;
> pre-built
Er. Which 'build' of openssl, and which website? (There's the
slproweb.com build of OpenSSL for Windows, currently at 0.9.8k;
pre-built binaries aren't really available for other platforms.)
-Kyle H
On Wed, Jun 17, 2009 at 10:44 AM, Bram Cymet wrote:
> Hi,
>
> I am having problems when I call X
Hi,
I am having problems when I call X509_CRL_sort and X509_CRL_sign. I am
getting a seg fault in the X509_CRL_cmp function. After doing a fair bit
of testing I think I have found that when an X509_REVOKED object is
added to the revoked stack it is getting corrupted some how. I have
tried to read
It's logical ;-)
Thank you
Dr Franck ROUSSIA
Dr. Stephen Henson a écrit :
On Wed, Jan 16, 2008, rfx wrote:
"If i all understood" ;-)
I have 2 certificates :
- One with "keyusage" as AC Certificate "CertAC.cer"
- One with "keyusage" as crl signer Certificate "Cert_crlsigner.cer"
But they
On Wed, Jan 16, 2008, rfx wrote:
> "If i all understood" ;-)
>
> I have 2 certificates :
> - One with "keyusage" as AC Certificate "CertAC.cer"
> - One with "keyusage" as crl signer Certificate "Cert_crlsigner.cer"
>
> But they have the same hash so the name with ".0" extension is the same !!
> So
"If i all understood" ;-)
I have 2 certificates :
- One with "keyusage" as AC Certificate "CertAC.cer"
- One with "keyusage" as crl signer Certificate "Cert_crlsigner.cer"
But they have the same hash so the name with ".0" extension is the same !!
So when the last file copy is "Cert_crlsigner.cer
On Wed, Jan 16, 2008, rfx wrote:
> Yes, i read it
>
> For first point, i think that there is not ths same subject and issuer,
> like final autosign certificat of AC ?
>
> For second point, after translating, it's more difficult for me to
> understand "keyusage" not to be include ;-)
>
The point
Yes, i read it
For first point, i think that there is not ths same subject and issuer,
like final autosign certificat of AC ?
For second point, after translating, it's more difficult for me to
understand "keyusage" not to be include ;-)
Thanks
Dr Franck ROUSSIA
Dr. Stephen Henson a écrit
On Wed, Jan 16, 2008, rfx wrote:
> I make new path using hash name/ ".0" extension for certificat/".r0"
> extension for CRL
>
> The function: 'verify -CApath @CRLCA\ -issuer_checks -crl_check
> "SignCertPEM.cer"
>
> The result is :
> SignCertPEM.cer:
> /C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013
I make new path using hash name/ ".0" extension for certificat/".r0"
extension for CRL
The function: 'verify -CApath @CRLCA\ -issuer_checks -crl_check
"SignCertPEM.cer"
The result is :
SignCertPEM.cer:
/C=FR/O=GIP-CPS/OU=M\xE9decin/CN=0081013443/SN=ROUSSIA/GN=FRANCK
error 29 at 0 depth lo
dity
interval extend from T0 to T0+1. But I need to have the validity form
(T0-10min + 1), 1 hour 10 min.
The client which tries to fetch the CRLs form the database in which
our CA simulator stores CRL, at times complains that the CRL start
time is ahead of its time, due to clock skew.
Any ideas,
Hodie III Id. Dec. MMVII est, Stephan Bärwolf scripsit:
> probably there exists a bug in current openssl binary (linux & windows) in
> signing or verifying certificate revokation lists with moduli-sizes larger
> (2^16)-1 (for example 65536 Bits).
Apart from the fact that a 65536 bits key is a "l
probably there exists a bug in current openssl binary (linux & windows)
in signing or verifying certificate revokation lists with moduli-sizes
larger (2^16)-1 (for example 65536 Bits).
An valid example is added to the mail-extension.
When running "openssl crl -in rootca.crl -CAfile rootca.cer -
://www.nabble.com/Question-about-Partitioned-CRLs--how-to-split-a-CRL--tf3419056.html#a9549707
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support
Hello,
I’ve set up an Apache webserver for some testing purposes. I’ve also built
my own little CA, I can create certificates and CRLs (using the commandline
for everything). Everthing works quiet fine but now I’ve got the following
question concerning CRL Distribution Points / Partitioned CRLs
. But it is good to know
that there is a place where I can ask my OpenSSL questions ;)
best regards domi
--
View this message in context:
http://www.nabble.com/A-problem-with-the-use-of-CRLs.-I%27m-still-able-to-access-a-site-although-the-certificate-is-revoked.-tf3169634.html#a8808160
Sent from
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
domi wrote:
> Hello all together,
Hello Domi,
> I’m not quite sure where to post my question because I wasn’t able to locate
> my fault. So I’ll post my question in the OpenSSL-user forum and in the
> Apache http server-users forum. A similar post in
://192.168.0.2
I want to include the use of CRLs. Client certificates are no subject to me.
The Apache and OpenSSL work very fine and I’m able to create CRLs and import
them into my Firefox.
To my problem: When my webserver uses certificates which are revoked (I
revoked them) I’m still able to access the
On Tue, Dec 05, 2006, Dan Ellis wrote:
> Looking at the code of X509_load_cert_crl_file (OpenSSL 0.9.7e), it
> seems that it will add any certificates found in the file to the trusted
> store, which is undesireable behaviour.
>
> What, then, is the correct way to load C
Looking at the code of X509_load_cert_crl_file (OpenSSL 0.9.7e), it
seems that it will add any certificates found in the file to the trusted
store, which is undesireable behaviour.
What, then, is the correct way to load CRLs from a file containing both
the CRLs themselves and any non-root
anyway
(- by using ASN.1 or DER for example).
If it's possible, how can it be done?
You can create the things using OpenSSL 0.9.9-dev only. They are also
displayed correctly.
Correctly partitioning the CRLs is down to the user setting the config
correctly.
The config file format for
it anyway
> (- by using ASN.1 or DER for example).
>
> If it's possible, how can it be done?
>
You can create the things using OpenSSL 0.9.9-dev only. They are also
displayed correctly.
Correctly partitioning the CRLs is down to the user setting the config
correctly.
The confi
Hello,
is it possible to implement indirect Certificate Revocation Lists with
OpenSSL?
There is an entry in the man page to x509v3_config [1], saying it cannot
currently be set or displayed... But maybe someone hacked it anyway
(- by using ASN.1 or DER for example).
If it's possible, how can
Hi,
I'm trying to verify a certificate-chain including CRLs.
To do this I'm pushing all certs (of the type X509)
on a STACK_OF(X509) by sk_X509_push(cert_stack, current_cert);
the trusted root-CA-cert is in CA_DIR
The following code is working fine (in the non-reduced version ;-) ),
On Tue, Feb 17, 2004, Nick Burch wrote:
> I was wondering if the verify command (eg openssl verify foo.crt) checks
> the certificate against CRLs, and if so, how it knows which CRL to use?
>
> The manual page for does verify lists possible CRL related errors.
> However, I'v
I was wondering if the verify command (eg openssl verify foo.crt) checks
the certificate against CRLs, and if so, how it knows which CRL to use?
The manual page for does verify lists possible CRL related errors.
However, I've run a quick strace against it, I was unable to see it
looking
decode and display CRL Number and the data is accessible
programmatically. OpenSSL 0.9.8 can also issue CRLs using CRL Number.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consu
Joseph Bruni writes:
> -- call "curl" or "wget" to retrieve the CRL
> -- use "openssl crl -nextupdate ..." to extract the update time
> -- call "at" to schedule itself to run again in the future.
Here are some other things that would be worth taking into consideration.
In downloaded crl's:
Look f
Arne Jørgensen wrote:
Maybe I will finish my code and publish it.
Yes, please do!
--
=> Somedays it's just not worth chewing through the restraints...
=> Mark Foster <[EMAIL PROTECTED]> http://mark.foster.cc/
__
OpenSSL Project
Joseph Bruni <[EMAIL PROTECTED]> writes:
> Actually, you could probably do this with a few lines of Perl. The
> nextupdate field can be read via "openssl crl -nextupdate ...". If you
> don't want to leave it running, you could probably schedule it to run
> at the appointed time using the "at" comm
I'm using openssl as a command line tool to verify messages from
within another program (the Gnus newsreader). I verify messages
against CRL which I have downloaded from the issuer.
The "problem" is that new CRLs are issued every 8-12 hours (the
nextupdate-fied, normally they a
On Wed, Jun 25, 2003, Lee Dilkie wrote:
> > It always assumes that a certifcate will have an accessible
> > current CRL. As I
> > mentioned the absence of a CRLDP extension doesn't
> > necessarily mean that the CA
> > doesn't issue CRLs: just that it doesn&
> It always assumes that a certifcate will have an accessible
> current CRL. As I
> mentioned the absence of a CRLDP extension doesn't
> necessarily mean that the CA
> doesn't issue CRLs: just that it doesn't give details about
> how to download
> them in t
s reject
> certificate without a crl extension, is there any way to know the failure
> was due to a missing crl on a certificate with no crl extension?
>
It always assumes that a certifcate will have an accessible current CRL. As I
mentioned the absence of a CRLDP extension doesn't nec
e as "the certificate has been revoked - don't trust the
contents" I would have expected...
I'm still having difficulty getting the crlDistributionPoints to work
within the certs, but I know the CRLs within the two systems were
up-to-date as I manually installed the CRL (yes, ge
> Is there some mechanism within the openssl library for checking a
> certificate against a CRL? I expected to find a function that would
> take a X509 *cert and an X509_CRL *crl as arguments, and give an
> indication as to whether the certificate is listed in the CRL. I have
> been unable to l
Is there some mechanism within the openssl library for checking a
certificate against a CRL? I expected to find a function that would
take a X509 *cert and an X509_CRL *crl as arguments, and give an
indication as to whether the certificate is listed in the CRL. I have
been unable to locate any s
Hi All,
A simple tutorial to manage CRLs into Netscape 7.x
URL: http://www.medracen.net/pki.php?url=tutorials
Comments & suggestions are welcome.
#---
Averroes
__
OpenSSL Project
1 - 100 of 121 matches
Mail list logo
