On Wed, Jun 04, 2003, David Kramer wrote: > I'm trying to use CRLs but my server is not rejecting certificates that > are (supposed to be) in my CRL. I'd appreciate any advice that people > might have. > > The Questions: > -------------- > 1) Is there any way to validate what's in a CRL? Something akin to > openssl x509 -text, for CRLs would be awesome. > 2) Why is OpenSSL not seeing revoked certificates in my CRL? > > The Background: > --------------- > I create a CRL using: > > openssl ca -gencrl -out crl2.pem -revoke client1.pem > > I then use c_rehash to generate the symbolic links to my CA file and CRL. > > In my server I set the CA cert SSL_CTX_set_client_CA_list(), > SSL_CTX_load_verify_locations. I call SSL_CTX_set_verify() and then set > the CRL bits using: > > X509_STORE_set_flags(store, > X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); >
Try two separate commands: openssl ca -revoke xxx openssl ca -gencrl -out crl.pem and use: openssl crl -in crl.pem -text to see whats in the CRL. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
