CRL checking error

Tue, 06 Jun 2000 19:32:12 -0700

Hello: I am testing CRL check behaviors using apache_1.3.12 plus mod_ssl-2.6.4 plus openssl-0.9.5a. I have tested three CRLs issued by three different CAs: Windows2000 Enterprise CA,CMS4.1 and another CA. Although successful with Windows2000 Enterprise CA CRL, I always get the "CRL signature failure" error message when checking the twoother CAs' CRLs. All the CRLs are in the version2 format and their details are shown below. 1. Windows2000 Enterprise CA CRL(checking is successful with this one) Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /Email=**/C=**/ST=**/L=**/O=**/ OU=**/CN=** Last Update: Jun 5 07:26:40 2000 GMT Next Update: Jun 5 09:01:40 2000 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:5F:BD:4E:7A:57:87:FC:9F:7E:F6:F3:DA:36:8E: C6:17:F2:FD:3A:40 1.3.6.1.4.1.311.21.1: Revoked Certificates: Serial Number: 01270EC80000000007FA Revocation Date: Jun 5 07:36:11 2000 GMT ... 2. CMS4.1CRL(checking fails) Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=**/ST=**/L**/O=**/OU=**/CN=** Last Update: Jun 5 08:25:33 2000 GMT Next Update: Jun 5 10:25:33 2000 GMT Revoked Certificates: Serial Number: 05 Revocation Date: May 17 11:07:13 2000 GMT CRL Reason Code: Unspecified ... 3. Another CA CRL(checking fails) Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=**/O=**/CN=** Last Update: May 8 16:00:03 2000 GMT Next Update: Jun 7 16:00:00 2000 GMT Revoked Certificates: Serial Number: 3BB6B4DF00000003 Revocation Date: Nov 17 09:20:45 1999 GMT ... As shown above, the successfully checked W2K CRL has CRL extensions setting,X509v3 Authority Key Identifier, which the other two CAs have not. When checking v2 CRLs with openssl(X509_CRL_verify), is it necessary to set at least one CRL extension ? Or is the specific Authority Key Identifier extension critical? Or is there anything else that causes the "CRL signature failure"? Any information would help me. Thank you, Tatsuya Yoshida ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]

Reply via email to