Hello Ryan! Thank you very much.
I have added the line in the Certificate Extensions section of my openssl.cnf file: crlDistributionPoints=URI:http://cert.vrn.ru/crl/main.crl and then I made some certificates with this extensions. Such certificates have the following value of CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://cert.vrn.ru/crl/main.crl I suppose it's ok at this step. But the next step... It's not clear for me. MS Outlook Express tries to check if the certificate has been revoked or not, but it says "The digital ID has not been revoked or revocation information for this certificate could not be determined." The CRL has been made with the following command: openssl ca -gencrl -out crl.pem -config openssl.cnf passin pass:**** Then I copied crl.pem file into appropriate directory of my web server and rename it(file) to main.crl I made certificate, then revoked it for testing, and then made a CRL as I wrote above. Have I made a mistake? Why MS Outlook Express does not say me that the certificate has been revoked? Yours sincerely, Valery E-mail: [EMAIL PROTECTED] ----- Original Message ----- From: "Ryan Hurst" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 26, 2001 10:15 PM Subject: RE: Please help me! > Valery -- > > This field in a certificate points to where the issuer will make its > certificate revocation list available. If you are using OpenSSL or OpenCA > (based off of OpenSSL) to issue your certificates you will want to probably > put up a web server or LDAP capable directory where you can make your > certificate revocation list available; refer to the absolute URL for this > list in this extension. You may also want to include an AIA > (authorityInformationAccess) extension as well, this can point to a OCSP > responder capable of responding with individual certificate statuses. > > The Microsoft platform implements its revocation handling in a library > called cryptnet.dll; this supports all the transports that WinInet supports > (http/s,ftp,ldap/s,file). When the CryptoAPI applications that use > revocation checking (Outlook can be configured to do this and in Office XP > it is the default behavior), cryptnet will attempt to retrieve the CRL > specified in this extension and use it for revocation checking. There are > also alternate revocation providers available windows that implement > additional protocols (OCSP, SCVP, CRL, CRLdp); ValiCert produces one such > provider. > > I hope this helps. > > Ryan > > -----Original Message----- > From: Valery [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 26, 2001 1:12 AM > To: [EMAIL PROTECTED] > Subject: Please help me! > > Hello! > I used the certificate extensions "crlDistributionPoints" in my openssl.cnf > file. > And I faced the following problem. > > What should I indicate in thihs field (crlDistributionPoints)? > > I need that MS Outlook Express checks if the certificate has been revoked or > not when it is on-line? What do I need to do? > > Yours faithfully, > Valery > E-mail: [EMAIL PROTECTED] > > > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
