Hello,
How-To-Repeat:
Create a config file for SSL certificates that declares to use the
x509_extensions crlDistributionPoints with a RUL target.
Generate a certificate against this config, there should be the CRL options
declared.
As far as I can see, the problem is this: your crldp URI contains an IP
address and you run into a check that the host component is not an IP
address:
https://github.com/openbsd/src/blob/master/lib/libcrypto/x509/x509_constraints.c#L52
That's right, I tried with a FQDN and it was much more happier.
Quite nasty that a behavior not supposed to work did work until one day
someone finally fixes it, quite confusing.
Another trouble I found, maybe it's my conf again(?) is that I am unable
to use a section to call out to define common options for
x509extensions. Example, this does not work:
[ ca ] default_ca = Domain-CA [ Domain-CA ] ... x509_extensions =
common_options
[ common_options ] crlDistributionPoints =
URI:http://my_machine_fqdn/crl/root.crl nsComment = "Generated
Certificate for Company" subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
