It is understood that if CRL check is set but CRL file is not included, openSSL
will report ERR(3).
What happens, if we have a 3-tier CAs and the CRL from the middle tier is not
included. Will openSSL report error, with the setting of
X509_V_FLAG_CRL_CHECK_ALL?
- rosect190
Hi all !
I don't anderstand how CRL are verified, someone can explain me a little
please.
CRL are not included in the certificate but a link to the CRL is
included in the certificate issuer, no ?
If a certificate contains a link, how the pointed CRL is verified ?
TIA
Frédéric.
CRLs are signed by the CA certificate whose subsidiary certificates
are mentioned (or not) in the CRL. So a CRL is verified just like
any other signed document. You need any certificates in the chain,
which may or may not be supplied along with the CRL, see PKCS#7
format and/or the
openssl
After revoking the certificate, you didnt generate the CRL file.
First generate the CRL file and then ckeck.
cheers,
Ravi Prakash B.V.
On Wed, 17 Oct 2001, Juan Carlos Albores Aguilar wrote:
Hi, i'm using openssl and i've created my own CA so i can sign certificates,
revocate them and
Hi, i'm using openssl and i've created my own CA so
i can sign certificates, revocate them and everything, my question is when i
revoke a certificate and i watch the no encrypted form of my crl file, it says
no certificates revoked, however in the records of the certificates signed, it
does
Does anyone know an SSL routine
which extracts the CRL url from a
certificate.pem ?
Thanks in advance
regards
marco nardelli
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Ah yes, getting confused.
rather, the cgi should check the crl whether that serial is revoked.
On Mon, 30 Aug 1999, Michael Ströder wrote:
ssl wrote:
below the cert info, you'll see the "Check Certificate Status" button,
[..]
By this method, the cert must have "nsRevocationUrl"
ssl wrote:
On Mon, 30 Aug 1999, Michael Ströder wrote:
ssl wrote:
below the cert info, you'll see the "Check Certificate Status" button,
[..]
By this method, the cert must have "nsRevocationUrl" pointing
to a cgi to check it.
This on-line certificate validation has